High-risk tools in Cmux
11 of the 23 tools in Cmux are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
cmux_browserExecuteRun a
-
cmux_focus_paneExecuteMove focus to the given pane.
-
cmux_new_groupExecuteGroup workspaces under a collapsible sidebar header. Spawns a fresh anchor workspace that becomes the header row. If
-
cmux_new_paneExecuteOpen a new pane (terminal or browser) by splitting in the given direction.
-
cmux_new_workspaceExecuteCreate a new workspace, optionally with a title, cwd, and startup command. Pass group to create it inside a workspace group.
-
cmux_notifyExecuteShow a cmux notification.
-
cmux_rawExecuteEscape hatch for cmux subcommands without a dedicated tool. Pass tokens after
-
cmux_sendExecuteType literal text into a terminal surface. Does NOT press Enter — follow with cmux_send_key Enter. Pass workspace/window to target a surface in another workspace.
-
cmux_send_keyExecuteSend a named key such as Enter, Tab, Escape, C-c, C-d. Ctrl chords accept either form:
-
cmux_send_panelExecuteSend text into an agent panel via send-panel. Use cmux_list_panels to find the panel ref. Pass workspace/window when the panel lives in another workspace.
-
cmux_wait_readyExecutePoll a surface/panel until it looks ready for input, then return the final screen. Ready = the screen matches
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.