using-tmux-for-interactive-commands
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The tmux-wrapper.sh script facilitates arbitrary command execution via tmux new-session. It takes a command and arguments directly from user/agent input and executes them without any validation or restricted shell environment.
- PROMPT_INJECTION (HIGH): This skill is highly susceptible to indirect prompt injection (Category 8). Ingestion points: The skill captures terminal output using 'tmux capture-pane -p' in the wrapper script and documented examples. Boundary markers: No delimiters or safety instructions are used when the agent reads this output. Capability inventory: The agent has full control over the session via 'send-keys' and can start new processes. Sanitization: None. Because the agent captures and acts upon content displayed in the terminal (like file contents, REPL outputs, or git logs), an attacker can embed instructions in that content to hijack the agent's logic.
- PERSISTENCE (LOW): Tmux sessions and their child processes persist in the background until explicitly terminated, which could be used to maintain access or consume system resources if not properly managed.
Recommendations
- AI detected serious security threats
Audit Metadata