tmux-agents
Fail
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
scripts/spawn.shscript is vulnerable to shell injection via the$TASKvariable. This variable is interpolated into atmux send-keyscommand string without sanitization. An attacker providing a task containing shell metacharacters (such as;,&&, or backticks) can break out of the intended command and execute arbitrary code within the shell context of the spawned tmux session. - [COMMAND_EXECUTION]: The
scripts/spawn.shscript facilitates arbitrary binary execution. TheAGENTparameter is used as a direct command in the default case of the execution logic ($AGENT "$TASK"), allowing a user to run any system utility instead of the intended AI agents. - [PROMPT_INJECTION]: The skill configures autonomous agents to operate without standard security guardrails or user confirmation. In
scripts/spawn.sh, Claude Code is launched with the--dangerously-skip-permissionsflag and OpenAI Codex with--full-auto. This removes the 'human-in-the-loop' safety layer, allowing the agent to perform potentially destructive or unauthorized file system operations autonomously. - [PROMPT_INJECTION]: The skill has a significant attack surface for Indirect Prompt Injection (Category 8).
- Ingestion points: The
TASKparameter inscripts/spawn.shand the session content captured inscripts/check.shandscripts/status.share passed into the agent context. - Boundary markers: None identified. Instructions are passed directly to agent CLI tools.
- Capability inventory: Agents have full read/write access to the
~/clawddirectory and the ability to execute shell commands with security filters disabled via the CLI flags mentioned above. - Sanitization: No input validation, escaping, or filtering is performed on the task instructions or agent outputs.
Recommendations
- AI detected serious security threats
Audit Metadata