tmux-cli-test
Warn
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill provides functions like
tmux_startand_docker_tmuxthat execute arbitrary shell commands provided as strings. While necessary for testing, this capability can be abused to execute malicious code if the agent is manipulated into testing a crafted command string. - Evidence:
tmux_start <session> <cmd>inSKILL.mdanddocker exec "$TMUX_DOCKER_CONTAINER" tmux "$@"intmux_docker_helpers.sh. - [PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8). It captures terminal output (
tmux_capture,docker_tmux_capture) and feeds it back to the agent. If the application being tested displays attacker-controlled data (e.g., from a web page, file, or database), that data could contain instructions that influence the agent's next actions. - Ingestion points:
tmux_captureanddocker_tmux_capturefunctions. - Boundary markers: None. The skill reads raw terminal output without sanitization or explicit instruction boundaries.
- Capability inventory: The skill can run shell commands, interact with Docker, and send keypresses.
- Sanitization: No escaping or validation of terminal output is performed before it is processed by the agent.
- [EXTERNAL_DOWNLOADS] (SAFE): The skill references an internal helper script
tmux_helpers.shvia a relative path. While this file was not provided for analysis, it is treated as a local dependency of the skill rather than an external/remote download. - Reference:
source .claude/skills/tmux-cli-test/scripts/tmux_helpers.sh.
Audit Metadata