AI agents use pane_focus to create or update resources in Wmux — usually the action step of a workflow, after the agent has gathered context. Every call changes real data in your Wmux environment.
This tool modifies the state of a pane (marking it as active/focused) without executing code, deleting data, or moving money. It is a reversible state change — a write operation on the terminal multiplexer's internal state. The blast radius is low since it only affects which pane is marked active in a workspace, without running any commands or affecting user data.
From the tool's definition Focus a leaf pane... focusing a pane in a background workspace marks it active there
Attacks that exploit this kind of access
Focus a leaf pane. Does NOT switch the on-screen workspace (non-yank): focusing a pane in a background workspace marks it active there without stealing the user\. It is categorised as a Write tool in the Wmux MCP Server, which means it can create or modify data. Consider rate limits to prevent runaway writes.
Register the Wmux MCP server in PolicyLayer and add a rule for pane_focus: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Wmux. Nothing to install.
pane_focus is a Write tool with medium risk. Write tools should be rate-limited to prevent accidental bulk modifications.
Yes. Add a rate_limit block to the pane_focus rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for pane_focus. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
pane_focus is provided by the Wmux MCP server (openwong2kim/wmux). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
pane_focus is one line of Wmux's registry record.
The record carries the whole server: verified identity, auth posture, risk grade, every tool classified, recommended policy — re-checked continuously.
Teams ship this data inside their own products. See what a licence covers →