maggy
Fail
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill's 'Execute Pipeline' documentation confirms it spawns the agent with the
--dangerously-skip-permissionsflag. This configuration bypasses standard interactive approval for file writes and shell commands, allowing for fully automated, unvetted command execution. - [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection (Category 8). It ingests untrusted data from external issue trackers like GitHub and Asana and interpolates this content directly into prompts that drive the automated execution pipeline. A malicious actor could author a ticket containing instructions that override the agent's behavior.
- [REMOTE_CODE_EXECUTION]: The combination of processing attacker-controlled input (issue descriptions/comments) and executing that input with elevated, non-interactive shell permissions provides a direct path for remote code execution (RCE) on the developer's workstation.
- [CREDENTIALS_UNSAFE]: The skill workflow requires the export of sensitive environment variables, including
GITHUB_TOKENandANTHROPIC_API_KEY. These credentials reside in the same execution environment where safety filters are disabled, significantly increasing the risk of exfiltration if an injection occurs. - [DATA_EXFILTRATION]: The skill utilizes network-enabled providers to fetch data from APIs and generates briefs from RSS feeds. If compromised via prompt injection, these existing network capabilities could be repurposed to exfiltrate local files or environment variables.
Recommendations
- AI detected serious security threats
Audit Metadata