The Agent Skills Directory

[COMMAND_EXECUTION]: The skill is vulnerable to command injection in Step 3 and Step 7. User-supplied input from the [phase-number] argument is interpolated directly into a shell pipeline (grep "^.workflow/phases/0*{N}-") and directory creation commands (mkdir -p .workflow/phases/{NN+1}-{next_slug}). An attacker could provide a crafted phase number containing shell metacharacters (e.g., ; rm -rf /) to execute arbitrary commands.
[DATA_EXFILTRATION]: The skill accesses the user's home directory (~/.maestro/templates/index.json) to read configuration templates. Accessing hidden directories within the home folder outside the immediate project workspace is a risk factor for sensitive data exposure or unauthorized file access.
[PROMPT_INJECTION]: The skill creates an indirect prompt injection surface in Step 6 (Extract Learnings). It reads content from potentially attacker-controlled files like verification.json and review.json and appends this data directly into .workflow/specs/learnings.md without sanitization or boundary markers. If these files contain malicious instructions, they will be persisted and may influence future agent actions when the learnings are reviewed.
Ingestion points: .workflow/phases/*/verification.json, .workflow/phases/*/review.json, and .workflow/phases/*/index.json (SKILL.md Step 3 and 6).
Boundary markers: Absent when appending extracted text to learnings.md.
Capability inventory: Uses cat, ls, mkdir, and bash for file system operations (SKILL.md Step 2, 3, and 7).
Sanitization: No validation or escaping is performed on the data extracted from the JSON files before it is written to the markdown document.

maestro-phase-transition