maestro
Warn
Audited by Snyk on Jul 1, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The Maestro skill runs npx to fetch/install remote skills at runtime (e.g., the command "npx skills add owner/repo@skill" used in the Discover/install flow), and the installed skill's SKILL.md is subsequently read and injected into subagent prompts — meaning remote repository content directly controls agent instructions.
Issues (1)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata