Back to skill

Security audit

Tmux Agents

Security checks across malware telemetry and agentic risk

Overview

The skill does advertise background coding agents, but it gives them persistent unattended control with weak input validation and limited disclosure.

Install only if you intentionally want persistent tmux-managed coding agents that may edit files and run commands in your workspace. Use it in a disposable branch or sandbox, avoid secrets and sensitive repositories, prefer local agents for private work, monitor sessions with tmux/status.sh, and kill sessions when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script explicitly launches coding agents in unattended execution modes, including Claude with `--dangerously-skip-permissions` and Codex with `--full-auto`. In the context of a tmux background-agent skill, this meaningfully increases risk because the spawned agent can take actions, edit files, and potentially run commands without interactive approval, which exceeds simple session orchestration.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly promotes cloud-based agents such as Claude, Codex, and Gemini, but it does not warn users that prompts, source code, secrets, or other task contents may be sent to third-party services through those CLIs. In a skill designed to run background coding tasks, users may pass sensitive repository context or credentials, so the missing disclosure increases the risk of unintentional data exfiltration to external providers.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are broad enough to match common requests like 'coding task' or 'background task' that are not specifically asking for tmux-based agent orchestration. This can cause unintended skill activation, leading users into workflows that launch background agents or external tools when they did not explicitly request that behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill promotes cloud agents and notes they use API credits, but it does not clearly warn that task contents may be transmitted to third-party providers or that invoking these commands can incur paid usage. Users may unknowingly expose sensitive code, credentials, or internal context to external services and generate unexpected costs.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends the user-provided task directly to cloud-backed CLIs (`claude`, `codex`, `gemini`), but only documents cloud usage in help text and status messages rather than forcing an execution-time acknowledgement. Because tasks may contain proprietary code, secrets, or sensitive operational details, this creates a real data exposure risk in a tool designed to run background coding tasks.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
tmux send-keys -t "$SESSION_NAME" "claude --dangerously-skip-permissions \"$TASK\"" Enter
    ;;
  codex)
    # OpenAI Codex CLI with auto-approve (cloud)
    tmux send-keys -t "$SESSION_NAME" "codex --auto-edit --full-auto \"$TASK\"" Enter
    ;;
  gemini)
Confidence
95% confidence
Finding
auto-approve

Shadow Command Trigger

Medium
Category
Trigger Abuse
Confidence
90% confidence
Finding
The trigger phrase 'run codex' can shadow or collide with a generic built-in 'run' command, making it easier for normal command intent to invoke this skill unexpectedly. In context, that misrouting is more dangerous because this skill can spawn persistent background sessions and potentially route work to external coding agents.

Shadow Command Trigger

Medium
Category
Trigger Abuse
Confidence
90% confidence
Finding
The trigger phrase 'run gemini' has the same shadowing problem as other generic 'run' prefixed triggers and can be mistaken for a normal execution request rather than a request to activate this skill. Because the skill manages agent sessions and may involve external providers, unintended activation can lead to privacy and cost consequences beyond simple command confusion.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.