The Agent Skills Directory

[EXTERNAL_DOWNLOADS] (HIGH): The installation instructions in rules/installation.md and rules/ci-integration.md recommend piping a remote script directly into a shell: curl -Ls "https://get.maestro.mobile.dev" | bash. This is a dangerous pattern as it executes unverified remote code with the user's shell privileges.
[REMOTE_CODE_EXECUTION] (HIGH): The skill documents the runScript and evalScript commands in rules/advanced/javascript.md. While file system access is restricted, these commands allow the execution of arbitrary JavaScript logic within the Maestro runtime, including network operations.
[DATA_EXFILTRATION] (MEDIUM): In rules/advanced/javascript.md, the skill provides examples of using http.get and http.post to interact with external APIs. While intended for testing, this capability could be used to exfiltrate sensitive data if an attacker-controlled UI influences the script parameters.
[PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8).
Ingestion points: Reads untrusted UI hierarchy data via maestro hierarchy and extractTextWithAI (documented in rules/debugging.md and rules/commands.md).
Boundary markers: None. The skill does not recommend any delimiters or instructions to ignore embedded commands in the UI elements being tested.
Capability inventory: Includes arbitrary command execution (adb, xcrun), network requests (http), and UI interactions (tapOn, inputText).
Sanitization: None. Data extracted from the UI is directly used in assertions and logic.
[COMMAND_EXECUTION] (LOW): The skill provides extensive documentation for interacting with system tools like adb and xcrun. While necessary for mobile testing, these are high-privilege operations.
[PERSISTENCE] (MEDIUM): Instructions in rules/installation.md suggest modifying user shell profiles (~/.zshrc or ~/.bashrc) to update the PATH. This is a standard persistence pattern for CLI tools but should be noted for security awareness.

maestro-e2e