cmux
Warn
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
pipe-pane --command <shell-command>command allows the agent to execute arbitrary shell commands by piping pane output to them. - [REMOTE_CODE_EXECUTION]: The
browser eval <script>andbrowser addscript <script>commands allow for the execution of arbitrary JavaScript within a browser environment controlled by the agent. - [DATA_EXFILTRATION]: The
read-screenandcapture-panecommands enable the agent to read the full content of any terminal session, which may contain credentials, private keys, or sensitive configuration data. - [DATA_EXFILTRATION]: Browser control commands such as
browser cookiesandbrowser storageprovide direct access to sensitive web session data and authentication tokens. - [COMMAND_EXECUTION]: The
sendcommand allows the agent to input raw text into any terminal, which can be used to trigger unauthorized command execution if followed by a carriage return. - [PROMPT_INJECTION]: The skill is highly susceptible to Indirect Prompt Injection.
- Ingestion points: Terminal content via
read-screenand web page content viabrowser snapshotorbrowser get. - Boundary markers: No specific boundary markers or sanitization instructions are provided to help the agent distinguish between data and instructions.
- Capability inventory: Extensive capabilities including shell command execution (
pipe-pane), terminal input (send), and browser script execution (browser eval). - Sanitization: No sanitization or validation of the ingested content is mentioned, allowing external instructions to potentially control the agent's actions.
Audit Metadata