driving-claude-code-sessions
Fail
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill launches the 'claude' CLI in detached 'tmux' sessions with the '--dangerously-skip-permissions' flag enabled, bypassing platform-level interactive tool approval prompts.
- [COMMAND_EXECUTION]: The skill uses 'tmux send-keys' to inject and run arbitrary shell commands within terminal sessions via the 'send-prompt.sh' script.
- [DATA_EXFILTRATION]: The skill accesses and reads sensitive conversation logs from the '~/.claude/projects/' directory, which may contain source code, internal data, or credentials from previous agent interactions.
- [REMOTE_CODE_EXECUTION]: The skill implements an orchestration layer allowing 'worker' agents to execute code and modify systems autonomously without human-in-the-loop verification.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its monitoring of worker session data. 1. Ingestion points: Worker logs in '/tmp/claude-workers/.events.jsonl' and session history in '~/.claude/projects/.jsonl'. 2. Boundary markers: Absent; the controller processes raw JSONL data from worker logs. 3. Capability inventory: Shell command execution via 'tmux' in 'send-prompt.sh' and worker lifecycle management in 'launch-worker.sh'. 4. Sanitization: Absent; the controller does not escape or validate worker output before use.
Recommendations
- AI detected serious security threats
Audit Metadata