macos-terminal
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill allows the execution of arbitrary shell commands through AppleScript. Evidence is found in
scripts/window/run-script.applescript, which takes a command as an argument and executes it via thedo scriptcommand.\n- [DATA_EXFILTRATION]: The skill can read terminal output and scrollback history, which may contain sensitive information like environment variables, secrets, or system logs. Evidence is found inscripts/tab/contents.applescriptandscripts/tab/history.applescript.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads terminal data into the agent's context without sanitization.\n - Ingestion points:
scripts/tab/contents.applescriptandscripts/tab/history.applescriptingest data from the terminal buffer.\n - Boundary markers: No delimiters or isolation instructions are used when returning terminal content.\n
- Capability inventory: The agent can execute commands on the host system via
scripts/window/run-script.applescript.\n - Sanitization: Terminal output is returned as raw text, making it possible for content displayed in the terminal to influence the agent's behavior.
Audit Metadata