using-tmux-for-interactive-commands
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- Unverifiable Dependencies & Remote Code Execution (HIGH): The script tmux-wrapper.sh (lines 14-22) facilitates the execution of arbitrary system commands through tmux new-session. This allows an agent to bypass standard execution restrictions and run any process in a detached terminal.
- Indirect Prompt Injection (HIGH): 1. Ingestion points: tmux-wrapper.sh (lines 14, 30) where COMMAND, ARGS, and keys are accepted from the agent context. 2. Boundary markers: None present. 3. Capability inventory: Full terminal interaction, including the ability to write files (via vim), execute code (via Python/Node REPLs), and shell access via tmux sessions. 4. Sanitization: None. Inputs are passed directly to tmux send-keys and new-session without escaping. Risk: An attacker could embed escape sequences in data processed by the agent, which the agent might then 'type' into a sensitive interactive session.
- Persistence Mechanisms (LOW): While tmux sessions persist after the agent finishes its task, this is a standard feature of tmux. However, if not properly managed, it can leave orphaned processes running on the host system.
Recommendations
- AI detected serious security threats
Audit Metadata