Skills
skills/catlog22/maestro-flow/maestro-plan/Gen Agent Trust Hub

maestro-plan

Fail

Audited by Gen Agent Trust Hub on Apr 17, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses the Bash tool to create directories based on a session ID derived from user arguments. The variable phaseArg is constructed by removing specific flags from $ARGUMENTS but does not sanitize for shell metacharacters like ;, &, |, or backticks. A malicious input like "3; rm -rf /" would result in a Bash call executing arbitrary commands.
  • [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by ingesting untrusted data from the codebase to drive planning decisions.
  • Ingestion points: Reads contents from context.md, index.json, issues.jsonl, and codebase documentation (as described in Phase 1 context loading logic in SKILL.md).
  • Boundary markers: Absent; there are no specific delimiters or instructions to ignore embedded commands within the processed files.
  • Capability inventory: The skill has access to high-privilege tools including Bash, Write, and spawn_agents_on_csv which can be used to execute the resulting (potentially poisoned) plan.
  • Sanitization: Absent; the content of external files is directly interpolated into instructions for the planning sub-agents without validation or escaping.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 17, 2026, 01:12 AM