Back to skill

Security audit

Zellij Terminal Workspace

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it says, but it gives agents broad terminal control and includes examples for running multiple no-confirm coding agents in detached sessions.

Install only if you want an agent to control local zellij terminal sessions. Use a dedicated data directory, avoid targeting panes that show secrets, monitor and clean up detached sessions, and do not allow --yolo or --full-auto coding-agent runs unless you explicitly requested them in a disposable or tightly scoped workspace.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script explicitly advertises and implements deletion of all zellij sessions in a data directory, which is a destructive capability outside the stated skill purpose of remote-controlling sessions and scraping pane output. In an agent context, adding bulk session-destruction increases operational risk because it can terminate unrelated user workflows or erase active state if invoked against a shared or attacker-influenced data directory.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The deletion loop iterates over every returned session name and force-deletes each one, suppressing errors, which creates a broad destructive action with little safety control. In the skill context, this is more dangerous because the tool can act on a configurable data directory and may remove sessions unrelated to the agent's intended remote-control task.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
On timeout, the script prints the full scraped pane contents to stderr. Because this skill interacts with remote interactive CLIs, pane output may contain secrets, tokens, credentials, personal data, or other sensitive command output; dumping that content to logs or calling processes can expose data beyond the intended recipient. The skill context makes this more dangerous because it is explicitly designed to scrape terminal panes, where sensitive transient data is commonly displayed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.