Is tmux safe?

https://clawhub.ai/skill/tmux

85
SAFE

The tmux skill is a legitimate utility that teaches an AI agent to manage interactive terminal sessions via tmux. It contains no prompt injection, data exfiltration, or malicious code. The primary risk is inherent to the skill's purpose: it grants the agent powerful shell interaction capabilities through tmux send-keys, and its documentation encourages running multiple AI agents with reduced-oversight flags in parallel sessions.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (6)

MEDIUM tmux send-keys enables unmonitored command execution -15

The skill's core functionality teaches the agent to send arbitrary keystrokes to tmux panes. While this is the intended purpose, it means commands can be executed in sessions the user isn't actively watching. In combination with other skills, this could be used to execute commands stealthily in background tmux sessions.

LOW Encourages reduced-oversight agent execution patterns -10

The 'Orchestrating Coding Agents' section demonstrates launching multiple AI agents with --yolo and --full-auto flags in parallel tmux sessions. While documented openly, this pattern reduces human oversight of agent actions across multiple workspaces simultaneously.

LOW Mild behavioral directive in SKILL.md -8

The skill instructs the agent to 'always print monitor commands' after starting a session. This is a benign behavioral override but demonstrates the pattern of skills directing agent behavior.

MEDIUM Skill's purpose inherently grants shell execution capability -28

The skill's entire purpose is to enable an AI agent to run interactive shell sessions via tmux, send arbitrary keystrokes, and read terminal output. This is a significant capability grant. The helper scripts themselves are safe, but the instructional content teaches powerful shell interaction patterns.

LOW Single external HTTPS connection during install -10

One HTTPS connection to 216.150.1.1:443 was observed during installation. This appears to be the ClawHub registry used for skill resolution/download, which is expected behavior.

INFO Socket in /tmp is world-readable by default -15

The default socket directory uses ${TMPDIR:-/tmp}/clawdbot-tmux-sockets. While tmux sockets inherit user permissions, the /tmp parent directory allows other users on shared systems to discover socket paths. The skill mitigates this somewhat by using a dedicated subdirectory.