gemini-tmux-orchestration
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill executes the Gemini CLI using the
--yoloflag within a tmux pane (tmux split-window -h -d "cd PROJECT && gemini --yolo"). - Evidence: Found in
SKILL.md(lines 14, 40) andREADME.md(line 41). - Risk: The
--yoloflag explicitly bypasses safety prompts for tool usage and command execution. Since the skill automates interaction with this process, there is no human-in-the-loop to verify the safety of commands Gemini might decide to run. - [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: Untrusted data enters the context when the agent is instructed to read files like
PLAN.md(tmux send-keys -t {right} 'Build the app per PLAN.md'). - Boundary markers: None. Input is passed as raw strings without delimiters or instructions to ignore embedded commands.
- Capability inventory: The sub-process (Gemini) has full shell access, file write capabilities, and network access due to the
--yoloconfiguration. - Sanitization: None. The skill's polling logic (
while true; do output=$(tmux capture-pane...); done) automatically processes and potentially responds to output from the compromised sub-process. - [EXTERNAL_DOWNLOADS] (LOW): The skill requires the installation of
@google/gemini-clivia npm. - Evidence:
README.md(line 35). - Trust Scope: The package is from a trusted organization (
google), which downgrades the download risk but does not mitigate the dangerous runtime behavior of the skill itself.
Recommendations
- AI detected serious security threats
Audit Metadata