The Agent Skills Directory

COMMAND_EXECUTION (HIGH): The skill relies on a series of shell scripts (spawn.sh, check.sh, status.sh) located in the skill's directory. Specifically, spawn.sh accepts a positional <task> argument. If this script interpolates the task string into a command line (e.g., tmux send-keys or directly into an agent CLI) without rigorous escaping, an attacker could execute arbitrary host commands using shell metacharacters (e.g., ; rm -rf /).
PROMPT_INJECTION (HIGH): The skill demonstrates a significant Category 8 (Indirect Prompt Injection) vulnerability surface. Ingestion points: The <task> parameter in the spawn.sh command. Boundary markers: Documentation shows no delimiters or instructions for the agent to ignore embedded commands within the task. Capability inventory: The agents being spawned (Claude Code, etc.) are explicitly described as capable of 'complex coding', 'full projects', and 'heavy refactoring', implying full filesystem and shell access. Sanitization: None described; raw strings are passed from the user/triggering agent to the sub-agent.
EXTERNAL_DOWNLOADS (MEDIUM): The skill documentation includes setup instructions for ollama pull and brew installations. While these are common tools, the skill encourages the installation of unverified models and system-level binaries which constitutes a medium-risk supply chain surface.

tmux-agents