divide-and-conquer
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill instructions explicitly direct the agent to bypass human approval gates ('No approval gates', 'do NOT ask for approval between planning and launching'), which overrides the default human-in-the-loop safety protocol.
- [COMMAND_EXECUTION]: The skill executes a Python utility script located at a path external to the skill directory ('~/.claude/skills/codex-tmux/scripts/run.py') to orchestrate tmux sessions and launch sub-agents.
- [COMMAND_EXECUTION]: The autonomous 'Review Agent' is tasked with running git commands, build scripts, tests, and linting tools, and is authorized to fix issues and commit changes to the repository without user intervention.
- [PROMPT_INJECTION]: The skill has an indirect prompt injection surface (Category 8) because it processes untrusted outputs from multiple sub-agents. (1) Ingestion points: Agent outputs and git diffs are processed by the Review Agent. (2) Boundary markers: The Review Agent prompt uses specific formatting and guardrails (e.g., 'Do NOT push to remote'). (3) Capability inventory: The review process can perform file writes, run bash commands, and create git commits. (4) Sanitization: There is no explicit sanitization or filtering of sub-agent outputs before they are provided to the Review Agent.
Audit Metadata