"iTerm" wants access to control "Keyboard Maestro"

I'm working on a new Mac. I run a command in iTerm "direnv allow", and then this macOS dialog popped up:

"iTerm" wants access to control
"Keyboard Maestro". Allowing
control will provide access to
documents and data in
"Keyboard Maestro", and to
perform actions within that app.

An application in iTerm2 wants to use
AppleScript.

CleanShot 2025-04-25 at 14.24.45@2x

I'm familiar with Keyboard Maestro wanting to use AppleScript in terminal, but this seems like it's the other way around. Any suggestions?

1 Like

I wonder if there are any clues in the .envrc file for that directory.

I use iTerm and I have never encountered this. :thinking:

These github discussions provide some relevant information from users. It seems to me from what they write that it isn’t iTerm itself that “wants” to control anything, but that MacOS is associating something in a directory that iTerm is accessing with an application—in this case, Keyboard Maestro.

[iTerm asks for contacts and calendar access on Mac OS (#7477) · Issues · George Nachman / iterm2 · GitLab]

[Every time I start iTerm it says: "iterm.app" would like to control this computer using accessibility features. (#3316) · Issues · George Nachman / iterm2 · GitLab]

In various places, some people are suggesting that the answer is to add iTerm to “Full Disk Access” in System Settings. I would strongly caution against doing so.

In my experience, sometimes the system simply screws up these alerts.

For example, I've got software where every time I install an update, the system puts up an alert telling me that a software extension has been installed, but naming a script I have installed that has nothing to do with the application being updated. The system just decides that something has been installed and then picks this script even though it wasn't installed and hasn't changed.

I don't know what the direnv command is doing, but it may be asking for permission to do something for some reason and the system is just picking Keyboard Maestro because why not.

Yes, that is I think the same sort of thing that I mean by “MacOS is associating something in a directory that iTerm is accessing with an application—in this case, Keyboard Maestro”. MacOS is giving an incomplete and misleading message to the user.

There will some reason behind it. The pointing of the finger at Keyboard Maestro might be lazy, but it won’t be random. :wink: There will be a connection, however tenuous!

When direnv has been installed, changing a directory will cause variables environment settings from a “.envrc” text file (if present) in that directory to be loaded. This means that, for instance, if one’s projects in different directories require different versions of the same programming language, the path to the appropriate installed binary can be set in each directory’s .envrc file, and then, when one changes directory, the appropriate binary will be in the path.

direnv allow is what one can type to allow direnv to access a new .envrc file, when direnv asks whether it is safe to do so.

My answer is going to be the least secure, and possibly the worst technical answer you will get, but here is my thinking in these scenarios:

  • iTerm2? 'I trust them / figure they know what they're doing'
  • Keyboard Maestro 'I trust them / figure they know what they're doing'

Click 'allow'

The following two things are true for me:

  1. Never follow this advice. This is horrible advice. This is insecure, wrong, and simple minded. This is not the way you should approach your os's security.
  2. give it about .3 seconds of thought, and click 'allow'

I think you have chosen to overlook a point that has been raised a few times; that is, this situation is almost certainly not caused purely by the interaction of KM and iTerm, and that another factor (involving direnv) is involved

It might also prop the door open for other processes that MacOS would otherwise warn about, however indirectly.

We are not all completely in the dark about the problem. We know that direnv allow is the trigger. I would suggest that OP (@redmud) take a look at what is going on in the .envrc file. My bet would be that when the loading of the .envrc file is authorised (by using direnv allow), a process is (correctly) activated and it is that which is causing MacOS to alert the user... or that it is something along those lines.

The last sentence in the error message is:

An application in iTerm2 wants to use AppleScript

This suggests to me that the same would happen with the built-in Terminal.app and that the trust issue lies with the direnv command. So that's something you can try out, if you haven't already.

FYI - looking at my System Settings > Automation section, I see that both Terminal and iTerm have been granted permission over Keyboard Maestro. I'm pretty sure it was me who gave that authorisation in the distant past, but it wasn't related to direnv which I don't have installed.

Hello all! Thank you for the active conversation, I appreciate your insights.

When I was presented with that dialog, I chose "Don't Allow" and have not had any other issues. It did add an entry in System Settings under Security & Privacy: Automation, with Keyboard Maestro disabled under iTerm:

I tried using Terminal instead of iTerm but did not see any prompt this time.

Now for something a little disappointing, the .envrc file is actually empty. Working on this new Mac, I didn't question it when I was prompted to activate direnv. I had been using it some time ago to load environment variables when working in this directory, but must have stopped keeping values in it at some point.

I wouldn't be surprised if macOS is making a mistake here. Unfortunately they don't often provide much context for security prompts.

1 Like