tmux
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill's core functionality is built around sending arbitrary strings as input to terminal sessions using
tmux send-keys. This allows the agent to execute any command within the shell or interactive tool (such as python or gdb), creating a significant attack surface if the agent is manipulated. - PROMPT_INJECTION (HIGH): This skill is highly susceptible to Indirect Prompt Injection (Category 8) because it captures and analyzes external process output to drive agent behavior.
- Ingestion points: Both
scripts/wait-for-text.shand the documentation inSKILL.mdrely ontmux capture-paneto ingest data from the terminal into the agent's context. - Boundary markers: Absent. The skill provides no mechanisms (like delimiters or 'ignore' warnings) to prevent the agent from obeying instructions embedded in the captured terminal text.
- Capability inventory: High. The agent has the ability to send commands (
send-keys), kill sessions, and read historical pane output. - Sanitization: Absent. There is no filtering or escaping of the captured text before it is presented to the agent's reasoning engine.
- DATA_EXFILTRATION (MEDIUM): The ability to capture pane output (
tmux capture-pane) allows the agent to read potentially sensitive information printed to the console by other processes, such as environment variables, secret keys, or private file contents, which could then be exposed in the agent's logs or subsequent actions.
Recommendations
- AI detected serious security threats
Audit Metadata