ClawHub

Tmux Manager

Security checks across malware telemetry and agentic risk

Overview

This tmux skill mostly does what it advertises, but it gives broad local shell control and has weak guardrails around commands, hooks, and destructive session actions.

Review any `tmux-sessions.yaml` before use, especially `pre_hook`, `post_hook`, `command`, `panes`, `env`, and AI CLI flags. Prefer `--list` or `--dry-run` before kill/restart, avoid `tmux kill-server` unless you intend to terminate every tmux session, and do not tail panes that may contain secrets or untrusted output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_hook(hook_cmd, label):
    print(f"      [hook:{label}] {hook_cmd}")
    result = subprocess.run(hook_cmd, shell=True)
    if result.returncode != 0:
        print(f"      [!] {label} hook exited with code {result.returncode}")
    return result.returncode
Confidence
100% confidence
Finding
result = subprocess.run(hook_cmd, shell=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
log_file = os.path.join(tempfile.gettempdir(), f"tmux-tail-{target.replace(':', '-')}.log")

    # Start piping pane output to log file
    subprocess.run(
        ["tmux", "pipe-pane", "-t", target, f"cat >> {log_file}"],
        check=True
    )
Confidence
83% confidence
Finding
subprocess.run( ["tmux", "pipe-pane", "-t", target, f"cat >> {log_file}"], check=True )

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill manifest describes tmux session management, but the implementation additionally executes arbitrary pre/post shell hooks from YAML configuration. In an agent environment, this materially expands capability to unrestricted host command execution, making a config file an execution payload rather than just declarative session data.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script sends configuration-defined commands into tmux panes for automatic execution, which means opening or restoring a session can launch arbitrary processes from a YAML file. That is broader and riskier than simple session management because a config can silently run code when the skill is used.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly documents destructive kill operations (`--all --kill`) without warning that they terminate running tmux sessions and can disrupt active work. In a session-management skill, users may reasonably copy-paste commands from documentation, so omission of an impact warning increases the chance of accidental destructive use.

Missing User Warnings

High
Confidence
95% confidence
Finding
The README includes `tmux kill-server` as a ready-to-run example without emphasizing that it destroys every tmux session on the server, not just those managed by this skill. Because this is a broad, irreversible operational command presented in normal usage documentation, it can cause widespread denial of service for the user's terminal workflows if copied blindly.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation prominently includes kill and restart operations for tmux sessions without an explicit warning that these actions can terminate active processes and discard ongoing work in those sessions. In this context, the skill is specifically designed to manage live development sessions, so destructive commands are more dangerous because users may have long-running agents, shells, or unsaved terminal state attached.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Hook execution occurs automatically with only a print statement and no strong warning or consent boundary at the moment of execution. In a skill that may be driven by natural-language requests, silently executing config-specified shell commands increases the chance of surprising and unsafe host actions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal