Security Audit

tmux-agents

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

tmux-agents received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 6 findings: 2 critical, 3 high, 1 medium, and 0 low severity. Key findings include Command Injection via unvalidated 'LINES' argument in check.sh, Command Injection via unescaped 'TASK' argument in tmux send-keys (echo), Command Injection via unescaped 'TASK' argument in agent commands.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

Behavioral Risk Signals

Shell Execution

5 findings

Dynamic Code

5 findings

Excessive Permissions

1 finding

Security Findings6

Severity	Finding	Layer	Location
CRITICAL	Command Injection via unescaped 'TASK' argument in agent commands The 'TASK' argument (second positional parameter) in 'scripts/spawn.sh' is passed directly as an argument to agent commands (e.g., 'claude', 'codex', 'gemini', 'ollama launch') within the tmux session. The argument is enclosed in double quotes ('"$TASK"') but is not robustly shell-escaped. An attacker can inject shell metacharacters (e.g., ';', '`', '$()') into 'TASK' to break out of the quoted string and execute arbitrary commands on the host system via the agent's shell. Before sending 'TASK' to 'tmux send-keys', escape it for shell interpretation. Use 'printf %q' to properly quote the variable for the shell inside tmux. For example: 'escaped_task=$(printf %q "$TASK"); tmux send-keys -t "$SESSION_NAME" "claude --dangerously-skip-permissions $escaped_task" Enter'.	LLM	scripts/spawn.sh:54
CRITICAL	Command Injection via unvalidated 'AGENT' argument in custom command execution In 'scripts/spawn.sh', the 'AGENT' argument (third positional parameter) is directly executed as a command in the ')' case of the 'case' statement. This allows an attacker to provide an arbitrary command string for 'AGENT', leading to immediate command injection and execution of malicious code on the host system. Implement strict whitelisting for the 'AGENT' variable. Only allow predefined, safe agent names. Remove or heavily restrict the ')' fallback case to prevent arbitrary command execution. If custom commands are absolutely necessary, they should be executed via a safer mechanism like 'bash -c' with arguments passed separately, and with robust input validation and escaping.	LLM	scripts/spawn.sh:74
HIGH	Command Injection via unvalidated 'LINES' argument in check.sh The 'LINES' argument (second positional parameter) in 'scripts/check.sh' is directly used in the 'tmux capture-pane' command without validation or proper shell escaping. An attacker can inject arbitrary shell commands by providing a malicious string for 'LINES', which will be executed on the host system. Validate the 'LINES' argument to ensure it is a positive integer before use. For example, add a check like 'if ! [[ "$LINES" =~ ^[0-9]+$ ]]; then echo "Error: LINES must be a number"; exit 1; fi'.	LLM	scripts/check.sh:20
HIGH	Command Injection via unescaped 'TASK' argument in tmux send-keys (echo) The 'TASK' argument (second positional parameter) in 'scripts/spawn.sh' is echoed into the tmux session using 'tmux send-keys'. The string is not properly escaped for the shell environment inside the tmux session. An attacker can inject shell metacharacters into 'TASK' to execute arbitrary commands within the spawned agent's session. Before sending 'TASK' to 'tmux send-keys', escape it for shell interpretation. Use 'printf %q' to properly quote the variable for the shell inside tmux. For example: 'escaped_task=$(printf %q "$TASK"); tmux send-keys -t "$SESSION_NAME" "echo '📋 Task: $escaped_task'" Enter'.	LLM	scripts/spawn.sh:43
HIGH	Command Injection via unescaped 'AGENT' argument in tmux send-keys (echo) The 'AGENT' argument (third positional parameter) in 'scripts/spawn.sh' is echoed into the tmux session using 'tmux send-keys'. The string is not properly escaped for the shell environment inside the tmux session. An attacker can inject shell metacharacters into 'AGENT' to execute arbitrary commands within the spawned agent's session. Before sending 'AGENT' to 'tmux send-keys', escape it for shell interpretation. Use 'printf %q' to properly quote the variable for the shell inside tmux. For example: 'escaped_agent=$(printf %q "$AGENT"); tmux send-keys -t "$SESSION_NAME" "echo '🤖 Agent: $escaped_agent'" Enter'.	LLM	scripts/spawn.sh:39
MEDIUM	Excessive Permissions granted to Claude agent The 'claude' agent is launched with the '--dangerously-skip-permissions' flag. This bypasses user confirmation for actions the agent might take, increasing the risk of unintended or malicious operations if the agent is compromised or misbehaves. While this might be a design choice for convenience, it significantly broadens the agent's effective permissions. Remove the '--dangerously-skip-permissions' flag to require user confirmation for agent actions. If skipping permissions is desired, make it an explicit, optional flag that the user must consciously enable, rather than a default behavior.	LLM	scripts/spawn.sh:54

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/63aa3cedd53bf43e.svg)](https://skillshield.io/report/63aa3cedd53bf43e)