zmx
Pass
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill can retrieve terminal session history using the
zmx historycommand, which serves as an ingestion point for untrusted data. If a terminal session displays attacker-controlled content containing hidden instructions, the agent might inadvertently execute them. - Ingestion points: Output from
zmx history <name>(plain text, VT escapes, or HTML). - Boundary markers: None specified in the documentation to distinguish between terminal output and agent instructions.
- Capability inventory: Terminal management commands including
zmx attach,zmx run, andzmx killwhich allow process manipulation. - Sanitization: No evidence of sanitization or filtering of terminal output before processing.
- [Command Execution] (LOW): The skill is designed to execute arbitrary shell commands via
zmx attachandzmx run. While this is the intended primary purpose of a terminal session manager, it grants the agent direct shell access, which should be monitored for unauthorized command injection.
Audit Metadata