agent-comms
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The 'send' command utilizes tmux to inject text directly into the input buffer of other sessions. If a target session is at a shell prompt, this effectively executes arbitrary commands on the system under the context of that session.
- [DATA_EXFILTRATION] (HIGH): The 'read' command allows capturing the terminal scrollback of any active tmux session. This bypasses session isolation, permitting an agent to access sensitive information such as API keys, credentials, or private configuration data that may have been displayed in another agent's session.
- [PROMPT_INJECTION] (LOW): The skill's intended use-case for inter-agent communication establishes a vector for indirect prompt injection.
- Ingestion points: Terminal input of the target tmux session provided via the 'agent-msg send' command (SKILL.md).
- Boundary markers: The skill suggests a non-binding '[AGENT-MSG]' header convention which lacks programmatic enforcement or security isolation.
- Capability inventory: The script (~/.claude/skills/agent-comms/scripts/agent-msg) can list sessions, read terminal scrollback, and inject keystrokes into active panes.
- Sanitization: No input validation or command sanitization is described; the skill facilitates the transmission of raw strings between sessions.
Recommendations
- AI detected serious security threats
Audit Metadata