The Agent Skills Directory

[COMMAND_EXECUTION]: The skill allows the execution of arbitrary shell commands through several mechanisms: the new-workspace --command and respawn-pane --command options execute specified shell strings; the pipe-pane --command functionality redirects terminal output to an arbitrary command; and the send/send-key commands allow the agent to input and run any command in an active terminal.
[DATA_EXFILTRATION]: Extensive data access capabilities permit the retrieval of sensitive information: read-screen and capture-pane can extract terminal content and scrollback history which may contain credentials or private data; browser commands allow the extraction of cookies, local storage, and session storage from websites.
[REMOTE_CODE_EXECUTION]: The skill facilitates dynamic code execution within the browser environment via cmux browser <surface> eval <javascript>, as well as through addscript and addinitscript which inject arbitrary scripts into web pages.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by processing untrusted data from external environments.
Ingestion points: Data enters the agent context through read-screen, capture-pane, and browser extraction commands (text, HTML, console logs).
Boundary markers: No explicit markers are defined in the instructions to isolate untrusted terminal or web content from agent instructions.
Capability inventory: The skill has powerful capabilities including arbitrary command execution, browser manipulation, and full terminal read access.
Sanitization: There is no evidence of sanitization or validation of data retrieved from terminal screens or web pages.

cmux