tmux
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides tools and examples for sending arbitrary input to terminal sessions via
tmux send-keys. This allows the agent to execute commands in any active session, including shell sessions and interactive tools.\n- [DATA_EXFILTRATION]: The skill usestmux capture-pane(documented inSKILL.mdand implemented inscripts/wait-for-text.sh) to read terminal content. This can include full scrollback history (-S -), which may contain sensitive information, environment variables, or secrets displayed during previous user activity.\n- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection because it ingests untrusted terminal output.\n - Ingestion points: Terminal data is read in
scripts/wait-for-text.shusingtmux capture-paneand inSKILL.mdexample patterns.\n - Boundary markers: Absent. There are no delimiters or instructions provided to the agent to distinguish between its own instructions and terminal output.\n
- Capability inventory: The agent can send keystrokes to shells, manage sessions (create/kill/rename), and navigate windows/panes via the
tmuxCLI.\n - Sanitization: Absent. The captured text is handled as raw data without any escaping or validation.
Audit Metadata