Is tmux safe?

https://clawhub.ai/steipete/tmux

85
SAFE

The tmux skill is a legitimate utility for remote-controlling tmux sessions from an LLM agent. It contains no malicious code, no data exfiltration attempts, and no prompt injection payloads. The primary security consideration is that tmux send-keys inherently enables arbitrary command execution, which could bypass tool-level permission systems and amplify the impact of any co-installed malicious skill.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (6)

MEDIUM Inherent arbitrary command execution via tmux send-keys -20

The skill's core functionality is to send keystrokes to tmux panes, which inherently allows execution of arbitrary commands. While this is by design and the stated purpose of the skill, it means any agent using this skill can run commands through tmux that may bypass tool-level permission gates that would normally intercept direct shell execution.

LOW Encourages --yolo/--full-auto agent flags -10

The 'Orchestrating Coding Agents' section suggests running coding agents like Codex with --yolo and --full-auto flags, which disable confirmation prompts in those tools. This normalizes reduced human oversight when combined with tmux-based agent orchestration.

LOW Behavioral directive to always print monitor commands -8

SKILL.md instructs the agent to 'always print monitor commands' after starting a session. This is a mild behavioral override that is benign in intent (aids user monitoring) but demonstrates the skill can direct agent behavior.

LOW Skill amplifies risk when combined with malicious skills -30

While benign on its own, this skill creates tmux sessions that could be targeted by other skills or prompt injections. A malicious skill could inject commands into a running tmux session via send-keys, creating a non-obvious execution channel that bypasses direct tool permission checks.

INFO Network connection to 216.150.1.1 during install -10

A TLS connection to 216.150.1.1:443 was observed during installation. This appears to be the ClawHub registry used for skill resolution and is expected behavior.

INFO Two shell scripts included with clean implementations -8

find-sessions.sh and wait-for-text.sh are well-structured bash scripts that only interact with local tmux sockets. Both use strict mode (set -euo pipefail), proper argument parsing, and contain no hidden or obfuscated functionality.