The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to construct shell commands by interpolating user-provided variables (‘intent’, ‘chain’, ‘sessionId’) directly into command strings. For example, the instruction to run maestro coordinate start "${intent}" provides a clear vector for command injection. If a user provides an intent containing shell metacharacters like ;, &, or backticks, the agent could inadvertently execute arbitrary commands on the host system.
[DATA_EXFILTRATION]: The lack of input validation and the instructions to execute shell commands based on user input create a high risk of data exfiltration. An attacker could craft an 'intent' that reads sensitive files (such as SSH keys or environment variables) and transmits them to an external server using standard utilities like curl or wget available via the Bash tool.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because its core logic relies on processing JSON output from an external CLI tool to drive a loop that can execute further commands.
Ingestion points: Output from maestro coordinate next, maestro coordinate status, and maestro coordinate start (SKILL.md).
Boundary markers: No boundary markers or instructions to ignore embedded instructions are present in the logic that processes the CLI responses.
Capability inventory: The skill has access to powerful tools including Bash, Write, Read, Glob, and Grep (SKILL.md).
Sanitization: There is no evidence of sanitization, escaping, or validation of the CLI output before it is parsed and used to decide the next step in the agent's execution flow.
[NO_CODE]: The skill does not include any executable scripts or binary files, consisting solely of instructional markdown. However, the logic within the markdown instructions creates the aforementioned security vulnerabilities.

maestro-link-coordinate