Skills
skills/catlog22/maestro-flow/maestro/Gen Agent Trust Hub

maestro

Warn

Audited by Gen Agent Trust Hub on Jun 24, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill is designed to resolve user intents into shell commands and execute them directly using the Bash tool. As described in A_EXEC_STEP, the coordinator dynamically constructs command strings (e.g., $skill {resolved_args}) and invokes them in the current context.
  • [PROMPT_INJECTION]: The skill processes user-provided input from $ARGUMENTS to classify tasks and determine command parameters. This creates a surface area for indirect prompt injection or command injection if a user provides specifically crafted intent text designed to manipulate the resulting shell command.
  • [DATA_EXFILTRATION]: The skill interacts with the user's home directory by reading and writing to ~/.maestro/ and searching for scripts in ~/.codex/skills/. While this appears to be for configuration and plugin discovery, the ability to read from sensitive hidden directories in the home folder is a noted capability.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 24, 2026, 08:07 AM
Security Audit — agent-trust-hub — maestro