The Agent Skills Directory

[COMMAND_EXECUTION]: The skill facilitates arbitrary shell command execution through multiple interfaces, including cmux new-workspace --command, cmux send, and cmux pipe-pane. These commands allow the agent to run any process in the terminal environment.
[DATA_EXFILTRATION]: The browser automation subsystem provides commands to retrieve sensitive data, such as browser cookies get, browser storage local get, and browser storage session get. Furthermore, cmux read-screen allows the agent to ingest terminal content, which may contain sensitive logs, environment variables, or secrets.
[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) due to its high-privilege capabilities and ingestion of untrusted data.
Ingestion points: Terminal scrollback and screen content are read via read-screen. Web page content and structure are read via browser snapshot, browser get, and browser eval.
Boundary markers: The skill does not implement delimiters or explicit 'ignore instructions' warnings when reading from the terminal or browser, meaning an agent could inadvertently follow commands found in the output of a script or on a webpage.
Capability inventory: The skill possesses extensive control over the host system, including spawning shells (new-workspace), sending keystrokes (send, send-key), executing JavaScript in browser contexts (browser eval), and piping data to external commands (pipe-pane).
Sanitization: There is no evidence of sanitization or filtering applied to external content before it is provided to the agent or used in subsequent commands.
[REMOTE_CODE_EXECUTION]: The skill's integration with the erk tool facilitates the downloading and execution of scripts directly from pull requests (e.g., source "$(erk pr checkout ...)"), which constitutes a remote code execution path if the source repository or PR content is untrusted.

cmux