Back to skill

Security audit

IATerm WebSocket Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly transparent about controlling IATerm terminals, but it exposes high-impact terminal access with an under-scoped interactive JSON mode that can bypass the documented approval checks.

Install only if you intentionally want an agent-capable tool to operate IATerm terminals, including remote SSH or serial sessions. Avoid --auto-approve and persistent always-approve choices unless the target is tightly bounded, and clear ~/.cache/iaterm-ws-client to revoke cached tokens or approvals. Review the interactive mode carefully because it can send arbitrary WebSocket methods outside the documented command flow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
76% confidence
Finding
The theme-file documentation expands the skill beyond its stated purpose of WebSocket terminal control, creating scope creep and ambiguity about what actions the skill may perform. In a security-sensitive skill that can already drive terminals, unrelated filesystem-oriented instructions increase the chance of unintended file manipulation or misuse.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The interactive mode accepts arbitrary JSON and forwards it directly to the local IATerm WebSocket API, which bypasses the manifest-scoped command surface and any method-level allowlist. Because approval checks only exist for the dedicated send_input/subscribe_output paths, an operator or integrated agent can invoke undocumented or more privileged methods through interactive mode without the intended safeguards.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The file is presented as a client for a handful of terminal-management operations, but the implementation includes a broader general-purpose WebSocket client capability. In an agent-skill context, that mismatch is security-relevant because downstream tooling may trust the manifest description while the code exposes a wider action surface than advertised.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.