Skills
skills/catlog22/maestro-flow/team-lifecycle-v4/Gen Agent Trust Hub

team-lifecycle-v4

Pass

Audited by Gen Agent Trust Hub on Apr 17, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to the way it processes untrusted external data.
  • Ingestion points: Untrusted data enters the agent context through the initial task description in SKILL.md, user feedback strings in roles/executor/commands/fix.md, and the results of recursive codebase exploration (@**/*) in roles/analyst/role.md and roles/planner/role.md.
  • Boundary markers: While the prompt templates in roles/executor/commands/implement.md and roles/writer/role.md use structural headers (e.g., "PURPOSE:", "TASK:", "CONTEXT:"), they lack robust delimiters like triple-backticks or XML tags for interpolated variables, and they do not include explicit instructions to ignore embedded commands within those variables.
  • Capability inventory: The skill possesses powerful capabilities that could be abused if an injection succeeds, including arbitrary shell command execution via the Bash tool, file modification via Write/Edit, and the ability to spawn new autonomous sub-agents with the Agent tool.
  • Sanitization: There is no evidence of string sanitization or validation to neutralize potentially malicious instructions within the ingested data before interpolation.
  • [COMMAND_EXECUTION]: The skill frequently uses the Bash tool to perform essential tasks such as running test suites (vitest, jest, pytest in roles/tester/role.md) and invoking platform-specific delegation tools (maestro delegate in multiple role files). This usage is consistent with the skill's purpose as an automated developer but provides an execution path for injected instructions.
  • [DATA_EXFILTRATION]: To perform its primary function, the skill performs deep codebase exploration. In roles/analyst/role.md and roles/planner/role.md, it uses the maestro delegate tool with a global context (@**/*), which results in the agent reading all files in the project workspace. If sensitive files like .env, .ssh, or AWS credentials are present and not explicitly excluded by the platform's tool configuration, they would be accessible to the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 17, 2026, 01:12 AM