The Agent Skills Directory

[COMMAND_EXECUTION]: The skill makes extensive use of the cmux send command in SKILL.md to execute arbitrary shell commands across multiple terminal surfaces and workspaces. While intended for orchestration, this provides a powerful primitive for executing commands without direct user oversight in secondary panes.
[REMOTE_CODE_EXECUTION]: In SKILL.md, the instructions specifically direct the agent to launch sub-Claude-Code instances using the --dangerously-skip-permissions flag. This flag suppresses standard security prompts and authorization checks for the sub-agent's actions, creating a path for autonomous execution of potentially dangerous operations.
[DATA_EXFILTRATION]: The browser automation suite detailed in references/browser.md includes commands for retrieving sensitive browser data. Specifically, cmux browser <surface> cookies get and cmux browser <surface> storage local|session get allow the agent to extract session identifiers and local storage data from active browser panes.
[DATA_EXFILTRATION]: The cmux browser <surface> eval command allows for the execution of arbitrary JavaScript within the context of a web page. This can be used to exfiltrate DOM content, capture user input, or bypass client-side security controls.
[PROMPT_INJECTION]: The skill defines a large attack surface for indirect prompt injection. It instructs the agent to ingest untrusted data from external websites using commands like snapshot --interactive, get text, and get html.
Ingestion points: Browser snapshots and HTML/text extraction in references/browser.md and SKILL.md.
Boundary markers: None identified in the provided instructions to differentiate between browser-sourced data and agent instructions.
Capability inventory: Extensive subprocess execution via cmux send, file system access via markdown previews, and network operations through the built-in browser.
Sanitization: No evidence of sanitization or filtering of data retrieved from the browser before it is processed by the agent.

cmux