cmux-orchestration
Warn
Audited by Gen Agent Trust Hub on Jul 3, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill mandates the use of the
--dangerously-skip-permissionsflag when launching worker agents (e.g.,rtk claude --dangerously-skip-permissions). This instruction explicitly bypasses the built-in safety guardrails and consent prompts of the worker TUI, enabling automated execution of actions that would otherwise require human approval. - [PROMPT_INJECTION]: The orchestration workflow creates an attack surface for indirect prompt injection from untrusted worker outputs.
- Ingestion points: The controller agent reads untrusted data through terminal screen captures (
rtk cmux read-screen) and worker status reports (e.g., cited files and command results). - Boundary markers: The skill does not implement boundary markers or delimiters to isolate untrusted worker content from the controller's internal logic.
- Capability inventory: The skill possesses high-privilege capabilities including the ability to create terminal surfaces, send arbitrary keys/commands to worker shells, and modify the workspace state.
- Sanitization: No explicit sanitization or validation protocols are defined for handling the output of workers before the controller processes or acts upon it.
Audit Metadata