Zellij Terminal Workspace
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly does what it says, but its instructions also encourage running detached no-confirm coding agents that could make changes without close user review.
Install only if you want the agent to control local zellij terminal sessions. Use a dedicated data directory, keep secrets out of targeted panes, monitor and clean up detached sessions, and do not allow --yolo or --full-auto coding-agent runs unless you explicitly want that behavior in a scoped sandbox.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can type into zellij sessions and read what appears in panes, which may affect running programs if pointed at the wrong session.
The core capability is direct terminal control and pane scraping. This is disclosed and purpose-aligned, but it is a powerful local automation capability.
Remote-control zellij sessions for interactive CLIs by sending keystrokes and scraping pane output.
Use a dedicated zellij data directory and session names, and only let the skill target sessions you intend the agent to control.
A mistaken or malicious instruction could cause several background coding agents to edit files or run commands at once.
The instructions encourage spawning multiple coding agents and using non-interactive/no-confirm modes. That can propagate a bad prompt or mistake across multiple workdirs without enough user review.
zellij excels at running multiple coding agents in parallel ... Codex needs `--yolo` or `--full-auto` for non-interactive fixes
Require explicit user approval before launching coding agents, avoid --yolo/--full-auto unless specifically requested, and confine work to disposable git worktrees or sandboxes.
Processes started in detached sessions may keep running after the immediate task is done.
Detached zellij sessions and their state can persist in the configured data directory. This is disclosed and cleanup commands are provided, so it is a persistence note rather than hidden behavior.
Zellij stores state (sessions, plugins, etc.) in this directory.
Monitor active sessions and run the provided cleanup or zellij delete-session commands when finished.
Secrets or sensitive text displayed in a terminal pane could be read back by the agent.
On timeout, the helper prints captured pane content to stderr. This is useful for debugging but can expose terminal output to the agent context or logs.
Content from pane $pane_id in session $session:
Avoid using this skill on panes that display secrets, tokens, private logs, or credentials.
Users may not see the required local tools or package-manager installation path from registry metadata alone.
The skill itself declares zellij and jq requirements, but the supplied registry metadata says no required binaries and no install spec. This is an under-declared dependency/install context issue, not evidence of hidden code.
requires":{"bins":["zellij","jq"]}Install zellij and jq from trusted sources and prefer registry metadata that accurately declares required binaries and supported operating systems.