Skills
skills/catlog22/maestro-flow/quality-review/Gen Agent Trust Hub

quality-review

Fail

Audited by Gen Agent Trust Hub on Apr 17, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill constructs a directory path using the phaseArg variable, which is derived from the $ARGUMENTS input without sufficient sanitization. This variable is then used in a Bash command: Bash("mkdir -p ${sessionFolder}"). An attacker could inject shell metacharacters (such as ;, &&, or backticks) into the arguments to execute arbitrary commands on the system.- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection during its multi-wave review process. Findings from independent dimension agents are collected and interpolated into the prev_context for the aggregation agent in Wave 2. Malicious content within the files being reviewed or the task summaries could potentially manipulate the aggregator's verdict or downstream actions. Mandatory Evidence Chain:\n
  • Ingestion points: Reads project files, task summaries (.task/TASK-*.json), and findings from dimension agents (via tasks.csv and wave-1-results.csv).\n
  • Boundary markers: None identified in the instruction construction logic or CSV schema.\n
  • Capability inventory: Includes Bash, Write, Edit, and spawn_agents_on_csv.\n
  • Sanitization: There is no evidence of escaping or validating external findings before they are used to build instructions for the next wave of agents.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 17, 2026, 01:12 AM