maestro-coordinate
Warn
Audited by Gen Agent Trust Hub on Apr 17, 2026
Risk Level: MEDIUMPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill implements a sequential agent pipeline that is vulnerable to indirect prompt injection. Findings and hints generated by one agent are accumulated in a context variable and injected into the prompt of the next agent without sanitization or boundary markers.\n
- Ingestion points: The skill processes outputs from the wait_agent tool in Phase 2 of SKILL.md.\n
- Boundary markers: The prompt template used in buildStepPrompt lacks delimiters or instructions to treat the injected context as potentially hostile data.\n
- Capability inventory: The agents in the chain have access to powerful tools such as Bash, Write, and spawn_agent.\n
- Sanitization: There is no evidence of validation or escaping for the data accumulated in the prevContext variable.\n- [PROMPT_INJECTION]: The user-provided intent string is directly interpolated into a command-like invocation
${skill} \"{intent}\"inside the agent prompt. This allows a malicious user to craft an intent that breaks out of the quotes to inject arbitrary instructions or manipulate the agent's task assignment.\n- [DATA_EXFILTRATION]: The skill mandates that agents read files from the user's home directory, specifically ~/.maestro/workflows/maestro-coordinate.codex.md and skill-specific metadata in ~/.codex/skills/. Accessing files in the home directory is a sensitive operation that can lead to information exposure if the agent is misled via prompt injection.\n- [COMMAND_EXECUTION]: The skill uses the Bash tool to manage session directories and constructs shell-style command strings for agent execution. The combination of shell-level capabilities and the absence of input sanitization creates a high-impact surface for command or prompt-based attacks.
Audit Metadata