cmux-orchestration

Warn

Audited by Gen Agent Trust Hub on Jul 3, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill mandates the use of the --dangerously-skip-permissions flag when launching worker agents (e.g., rtk claude --dangerously-skip-permissions). This instruction explicitly bypasses the built-in safety guardrails and consent prompts of the worker TUI, enabling automated execution of actions that would otherwise require human approval.
  • [PROMPT_INJECTION]: The orchestration workflow creates an attack surface for indirect prompt injection from untrusted worker outputs.
  • Ingestion points: The controller agent reads untrusted data through terminal screen captures (rtk cmux read-screen) and worker status reports (e.g., cited files and command results).
  • Boundary markers: The skill does not implement boundary markers or delimiters to isolate untrusted worker content from the controller's internal logic.
  • Capability inventory: The skill possesses high-privilege capabilities including the ability to create terminal surfaces, send arbitrary keys/commands to worker shells, and modify the workspace state.
  • Sanitization: No explicit sanitization or validation protocols are defined for handling the output of workers before the controller processes or acts upon it.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jul 3, 2026, 04:04 PM
Security Audit — agent-trust-hub — cmux-orchestration