cmux-terminal-multiplexer
Pass
Audited by Gen Agent Trust Hub on May 7, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions utilize the cmux CLI to interact with the system's terminal, including creating splits and sending arbitrary shell commands via 'cmux send-surface'. This is the primary intended function of the multiplexer tool.
- [REMOTE_CODE_EXECUTION]: The browser automation suite enables JavaScript evaluation ('cmux browser eval') and the injection of custom scripts ('addscript', 'addinitscript') into web pages. This allows for code execution within the browser's sandbox environment as part of automated workflows.
- [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection by processing external, untrusted data.
- Ingestion points: Untrusted data enters the agent context through 'cmux capture-pane' (terminal history) and browser commands such as 'snapshot', 'get text', and 'get html' (external web content).
- Boundary markers: The provided instructions do not include the use of delimiters or 'ignore instructions' wrappers when processing this external content.
- Capability inventory: The agent has access to powerful tools including shell execution ('send-surface'), browser-side script execution ('eval'), file system writes ('state save' for auth data), and OS notifications ('notify').
- Sanitization: There is no evidence of sanitization or validation of the ingested external content before it is processed by the AI agent.
Audit Metadata