codex-tmux-echo

SUSPICIOUS: the skill is internally consistent with its stated tmux automation purpose and shows no obvious credential harvesting or remote exfiltration, but its footprint is inherently high-risk because it can target arbitrary panes, execute arbitrary commands, read pane contents, and auto-submit keystrokes that may trigger unintended actions. Risk comes from powerful local automation rather than deceptive supply chain behavior.

The code is a safe, minimal wrapper around a dispatch script. It validates input, forwards arguments securely, and does not perform dangerous operations itself. Security risk is tied to the behavior of dispatch.sh; the wrapper itself shows low potential for malicious activity. Improvements could include explicit input sanitization before dispatch and clearer separation of user data vs internal control flow, but the current implementation is appropriate for a thin wrapper pattern.

The repository provides tooling to automate keystrokes and capture output in tmux. Based on the provided documentation, this package is not inherently malicious but is a powerful capability that can be easily abused or cause accidental damage/data leakage. The main risks are command injection into unintended panes and exfiltration of pane contents via capture-pane. Because the actual script implementations were not provided, review the scripts themselves for target validation, sanitization, and reporting controls before use; operate on isolated or single-user sockets and avoid exposing secrets to panes the tool may read.