tmux
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The core functionality of this skill is to send keystrokes to terminal sessions using
tmux send-keys. This allows for arbitrary command execution within those sessions. If the agent processes untrusted user input and sends it directly to a shell or REPL, it could lead to command injection. - [REMOTE_CODE_EXECUTION] (MEDIUM): The skill documentation includes examples for remote command execution via
ssh. Specifically, it suggests patterns likessh host 'zsh -c "source ~/.zshrc; ..."', which executes commands on a remote system and sources local configuration files that might contain untrusted or malicious code. - [DATA_EXFILTRATION] (LOW): The use of
tmux capture-pane -pinSKILL.mdandwait-for-text.shallows the agent to read the entire output history of a terminal pane. This creates a risk of data exposure if sensitive information, such as passwords, environment variables, or private keys, is displayed in the terminal. - [PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8):
- Ingestion points: Terminal output is read into the agent context via
tmux capture-paneinSKILL.mdandscripts/wait-for-text.sh. - Boundary markers: None are used to delimit terminal output from agent instructions.
- Capability inventory: The skill has high-impact capabilities including
tmux send-keysandsshremote execution. - Sanitization: There is no evidence of sanitization or escaping of the captured terminal text before it is processed by the agent.
Audit Metadata