The Agent Skills Directory

[COMMAND_EXECUTION]: The skill's session initialization logic extracts a phase identifier from user-provided arguments and concatenates it directly into a shell command (Bash('mkdir -p ${sessionFolder}')). Because the argument parsing logic only removes specific flags and does not sanitize for shell metacharacters (e.g., semicolons, pipes, or command substitution), an attacker could provide a malicious argument to execute arbitrary shell commands on the system.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting untrusted data from multiple sources and passing it to verification agents.
Ingestion points: Reads project artifacts including index.json, plan.json, TASK-*.json, task summaries, and a human-controlled uat.md file during Phase 1 and Phase 2.
Boundary markers: Absent. The skill does not instruct the agent to use delimiters or ignore embedded instructions within these ingested files.
Capability inventory: The skill possesses powerful capabilities including Bash, Write, Edit, and the ability to spawn additional agents with unknown constraints via spawn_agents_on_csv.
Sanitization: Absent. No escaping, validation, or filtering is performed on the content of the artifacts before they are interpolated into the context for verification agents.

maestro-verify