Skills
skills/build000r/skills/codex-tmux/Gen Agent Trust Hub

codex-tmux

Fail

Audited by Gen Agent Trust Hub on Mar 10, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The _build_tmux_wrapper function in scripts/run.py performs unsafe string interpolation of the prefix and session_name variables into a Bash script template. Since these values are not escaped using shlex.quote, providing a malicious prefix (e.g., $(touch /tmp/pwned)) results in command execution when the wrapper script is run.
  • [COMMAND_EXECUTION]: The generated script uses osascript with variables derived from the unsanitized prefix, providing an additional vector for command execution within the system's notification service.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. 1. Ingestion points: Commit messages are read via git log in scripts/run.py. 2. Boundary markers: No markers or 'ignore' instructions are used for ingested git data. 3. Capability inventory: The skill can write files and execute subprocesses (tmux, git, codex). 4. Sanitization: While commit messages are passed via environment variables to a Python helper, the overall lack of validation for data from the repo context represents an unmitigated attack surface.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 10, 2026, 02:39 PM