The Agent Skills Directory

[COMMAND_EXECUTION]: The skill accepts a --style-skill argument that allows overriding the path of the Python script used for design generation. This path is used in a shell command (python3 "${SKILL_PATH}"), which could enable the execution of arbitrary scripts if the argument is controlled by an attacker.
[REMOTE_CODE_EXECUTION]: The skill implementation relies on dynamic script resolution and execution from the filesystem based on computed paths and user-provided flags, which is a high-risk execution pattern.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads untrusted data from the project environment and passes it to sub-agents without sanitization.
Ingestion points: Contextual data is read from context.md, brainstorm results, and specification files in Step 3.
Boundary markers: No delimiters or safety instructions are used to separate the external data from the sub-agent's instructions.
Capability inventory: The skill possesses Bash, Agent, and Write capabilities, which could be abused if a sub-agent is compromised.
Sanitization: There is no evidence of content validation or filtering for the external files used in prompt construction.
[EXTERNAL_DOWNLOADS]: Generated HTML prototypes are configured to fetch assets (SVG icons) from external CDNs, introducing a network dependency.

maestro-ui-design