I really think this is a security disaster waiting to happen, landing right in time for all the agentic terminal apps:

  printf '\e]8;;http://evil.com\e\\https://good.com\e]8;;\e\\\n'

The next step would be to embedd a full javascript VM in the terminal and a CSS engine.