tmux
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is designed to execute shell commands to manage tmux sessions, windows, and panes. This gives the agent the ability to execute arbitrary processes and commands on the host machine.
- [PROMPT_INJECTION]: The skill documentation includes examples that instruct the agent to run tools with security-bypass flags (e.g.,
claude --dangerously-skip-permissions). This encourages the agent to operate outside of standard safety constraints for external utilities. - [PROMPT_INJECTION]: The skill presents a significant surface for indirect prompt injection because it reads and processes untrusted data from terminal sessions.
- Ingestion points: Terminal output is captured using the
tmux capture-panecommand inSKILL.mdand thescripts/wait-for-text.shscript. - Boundary markers: There are no delimiters or specific instructions to help the agent distinguish between its own operational guidelines and instructions that might be embedded in the terminal output it scrapes.
- Capability inventory: The skill allows the agent to execute any system command via
tmux new-sessionand send arbitrary keystrokes/commands viatmux send-keys. - Sanitization: The scraped terminal data is processed as raw text without any sanitization, validation, or filtering to prevent the agent from accidentally executing commands contained within that output.
Audit Metadata