cmux-team-investigate
Pass
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses shell commands and subshells to interact with the local environment.
- It executes subshells to change directories and run local tools:
( cd "$TARGET" && cmux-team trace-task <task-id> ). - It interpolates user-controlled variables like
<task-id>and<surface-id>into shell commands and SQL queries. While standard for this use case, this pattern relies on the agent to ensure inputs do not contain injection characters. - [DATA_EXFILTRATION]: The skill targets sensitive project data located in directories outside the current workspace root.
- It accesses logs, task metadata, and databases in other repositories (e.g.,
~/git/mado/.team/logs/manager.log). - While there is no evidence of network exfiltration, this cross-directory access constitutes a data exposure surface. This is explicitly documented as the primary purpose of the skill for cross-team investigation.
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface through data ingestion.
- Ingestion points: The skill reads external data from
manager.log,task-state.json, andtraces.db(referenced in SKILL.md). - Boundary markers: Absent. There are no instructions provided to the agent to treat the content of these external files as untrusted or to ignore instructions embedded within them.
- Capability inventory: The agent has shell access via
sqlite3,grep,tail, and thecmuxCLI (referenced in SKILL.md). - Sanitization: Absent. The skill does not provide methods for sanitizing the content of the logs or databases before they are processed by the agent.
Audit Metadata