cmux
Fail
Audited by Gen Agent Trust Hub on Mar 31, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
cmux sendcommand to execute arbitrary shell commands in separate terminal panes, providing the agent with broad execution capabilities within the local environment. - [REMOTE_CODE_EXECUTION]: Instructions in
SKILL.mddirect the agent to launch sub-agents (Claude Code and Codex) using flags that bypass security approvals and sandboxes, specifically--dangerously-skip-permissionsand--dangerously-bypass-approvals-and-sandbox. This effectively creates unconstrained execution environments that the main agent can interact with. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core functionality of reading untrusted external data.
- Ingestion points: The agent is instructed to read terminal output from other panes (
cmux read-screeninSKILL.md) and extract content from web pages (cmux browser snapshotorget textinreferences/browser.md). - Boundary markers: There are no instructions to use delimiters or ignore directives when processing data from these external sources.
- Capability inventory: The skill has high-privilege capabilities, including shell access via
cmux sendand the ability to manage sub-agents. - Sanitization: The skill does not implement any validation or filtering of the content ingested from terminals or the browser.
- [DATA_EXFILTRATION]: The integrated browser automation tools, such as
cmux browser snapshot,cookies get, andscreenshot, enable the agent to access and potentially capture sensitive user data from web sessions.
Recommendations
- AI detected serious security threats
Audit Metadata