ClawHub

Tmux Agents

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises, but it can start persistent autonomous coding agents with broad local command and file-changing authority.

Install only if you intentionally want persistent tmux-managed coding agents with broad ability to edit files and run commands. Use a disposable branch or sandbox, avoid secrets and sensitive repositories, verify which cloud CLIs are logged in, avoid untrusted task text, monitor sessions with status.sh or tmux ls, and kill sessions when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly promotes use of cloud-backed agents such as Claude, Codex, and Gemini, but it does not warn that task prompts, source code, credentials, or other workspace content may be sent to third-party providers. In a coding-agent skill, users are likely to submit proprietary repositories or sensitive debugging context, so omission of this disclosure creates a meaningful risk of unintended data exfiltration and policy noncompliance.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list includes very generic phrases such as 'coding task', 'background task', and 'tmux session', which are likely to match ordinary user requests unrelated to this specific skill. Overbroad activation can cause the wrong skill to be invoked unexpectedly, increasing the chance that user tasks are routed into tmux-managed agent workflows without clear intent or review.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill promotes cloud agents for coding and research tasks but does not warn that prompts, source code, or other task contents may be transmitted to third-party services. Users may unknowingly send sensitive code, credentials, or proprietary information to external providers, creating confidentiality and compliance risks.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script launches powerful agent CLIs with permission-bypass and autonomous edit flags such as '--dangerously-skip-permissions', '--auto-edit', and '--full-auto' without an explicit confirmation gate. In the context of a background tmux agent launcher, this is particularly risky because it enables unattended code modification and command execution, increasing the chance of destructive changes, secret exposure, or unintended actions from a malformed or malicious task prompt.

Shadow Command Trigger

Medium
Category
Trigger Abuse
Confidence
91% confidence
Finding
The trigger phrase 'run codex' overlaps with a built-in 'run' command pattern, which can cause ambiguous routing or unintended invocation of this skill. That ambiguity is risky because this skill is capable of spawning background agent sessions, potentially launching external tools or workflows when the user intended a different command.

Shadow Command Trigger

Medium
Category
Trigger Abuse
Confidence
91% confidence
Finding
The trigger phrase 'run gemini' has the same shadowing problem: it is likely to conflict with generic or built-in 'run' command handling. In this skill's context, accidental activation is more concerning because it may initiate agent execution in tmux and send user tasks into a background workflow or cloud-backed tool unexpectedly.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal