tmux
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- COMMAND_EXECUTION (LOW): The scripts
create-session.sh,kill-session.sh, andcleanup-sessions.shinterpolate variables likesession_nameandsocketintotmuxcommand lines without the--argument separator. This could allow an attacker to inject command-line flags if they can control the session name (e.g., setting a name that starts with a hyphen). Evidence:tmux -S "$socket" kill-session -t "$session_name"intools/kill-session.sh.\n- COMMAND_EXECUTION (LOW): Several scripts use unsafe string interpolation to buildjqfilters. Specifically, the pattern".sessions[\"$name\"].socket"is used where$nameis a shell variable. A session name containing characters like\"]could manipulate thejqlogic. This represents a data-poisoning or indirect injection surface. Mandatory evidence for Category 8 surface:\n - Ingestion points: Session names and metadata returned by
registry_list_sessionsintools/cleanup-sessions.shandtools/list-sessions.sh.\n - Boundary markers: Absent. The scripts do not validate or sanitize session names before interpolation.\n
- Capability inventory: The tools can execute
tmuxcommands, create directories, and list process information based on the parsed data.\n - Sanitization: Absent. Session metadata from the registry is used directly in shell and jq commands.
Audit Metadata