tmux
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill provides a direct channel for untrusted data to influence agent actions.
- Ingestion points:
tmux capture-pane(documented inSKILL.md) is used to scrape output from terminal sessions, which may display content from untrusted files, web responses, or malicious command outputs. - Boundary markers: Absent. There are no mechanisms described to wrap or delimit captured terminal text to prevent the agent from interpreting embedded instructions as its own directives.
- Capability inventory: The skill possesses high-privilege capabilities including
tmux send-keys(arbitrary command execution in a shell) and session management (kill-server,kill-session). - Sanitization: Absent. Terminal output is processed as raw text, providing no protection against ANSI escape sequences or text-based injection attacks.
- Command Execution (HIGH): The primary purpose of the skill is to facilitate shell command execution through tmux keystroke injection.
- Evidence: Multiple examples in
SKILL.mddemonstrate sending shell commands, includingpnpm install,python3, and arbitrary commands to coding agents like Codex usingsend-keys.
Recommendations
- AI detected serious security threats
Audit Metadata