Skills
skills/catlog22/maestro-flow/maestro-execute/Gen Agent Trust Hub

maestro-execute

Fail

Audited by Gen Agent Trust Hub on Apr 17, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The session initialization logic is vulnerable to command injection. The variable phaseArg is derived from $ARGUMENTS using a regex that only removes specific flags, leaving shell metacharacters like ;, &, or | intact. This variable is then interpolated into a Bash() command for directory creation.
  • Evidence: The implementation uses Bash("mkdir -p ${sessionFolder}") where sessionFolder is constructed using the unsanitized phaseArg from user input.
  • [COMMAND_EXECUTION]: The 'Shared Discovery Board Protocol' instructs agents to use a shell echo command to append JSON data to a file. This creates a secondary injection risk if the data being logged contains single quotes or other shell metacharacters.
  • Evidence: The protocol documentation explicitly suggests the use of echo '...JSON...' >> {file}.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by reading task definitions from local files and passing them to sub-agents without boundary markers or sanitization.
  • Ingestion points: Reading task details from .workflow/phases/{phase}/plan.json and .task/TASK-*.json.
  • Boundary markers: Absent. Instructions and data are passed directly to spawn_agents_on_csv.
  • Capability inventory: Sub-agents have access to sensitive tools including Bash, Write, and Edit.
  • Sanitization: None detected for the task content (description, hints, convergence criteria) before it is used to instruct executor agents.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 17, 2026, 01:12 AM