tmux
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: High-severity command injection vulnerability in tmux-manager.js. \n
- Evidence: The script constructs shell commands via string interpolation of CLI arguments in functions such as exists, create, capture, send, and kill. \n
- Evidence: In the exists(session) function, the session variable is directly embedded:
tmux has-session -t ${session}. This allows an attacker to execute arbitrary system commands by providing a session name containing shell metacharacters (e.g.,mysession; rm -rf /). \n - Evidence: In the create(session, command) function, the command argument is placed inside double quotes but is not escaped, permitting command breakout and execution. \n
- Evidence: The run function executes these unsanitized strings using child_process.execSync, exposing the host system to full compromise. \n- [PROMPT_INJECTION]: Vulnerability to indirect prompt injection through terminal output ingestion. \n
- Ingestion points: The capture function in tmux-manager.js reads output from tmux panes via
tmux capture-pane. \n - Boundary markers: No delimiters or "ignore instructions" warnings are present to isolate terminal content from agent logic. \n
- Capability inventory: The skill possesses powerful capabilities including command execution, keystroke injection, and session termination. \n
- Sanitization: No filtering or escaping is applied to the captured terminal text before it enters the agent context.
Recommendations
- AI detected serious security threats
Audit Metadata