Skills
skills/aj-geddes/claude-code-bmad-skills/bmad-brainstorm/Gen Agent Trust Hub

bmad-brainstorm

Pass

Audited by Gen Agent Trust Hub on Jun 20, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: The skill is designed for planning and ideation, with explicit instructions that it does not write application code or run tests. All external interactions are limited to standard tools permitted in the configuration.
  • [COMMAND_EXECUTION]: The skill utilizes local shell scripts (scamper-prompts.sh, swot-template.sh) to generate text scaffolds. These scripts are invoked with user-provided topics and output formatted text, presenting no risk of arbitrary code execution.
  • [DATA_EXFILTRATION]: File access is restricted to the skill's own directory and a user-configured bmad-output/ folder. No attempts to access sensitive system files or credentials were found.
  • [PROMPT_INJECTION]: The skill has a surface for indirect prompt injection due to data ingestion.
  • Ingestion points: bmad-output/project-context.md and bmad-output/decision-log.md in SKILL.md.
  • Boundary markers: Absent; the skill does not use delimiters to wrap this ingested content.
  • Capability inventory: Local script execution via Bash and file manipulation via Write, Edit, and TodoWrite tools in SKILL.md.
  • Sanitization: Absent; the skill does not escape or validate the content of ingested files before processing.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 20, 2026, 12:30 PM
Security Audit — agent-trust-hub — bmad-brainstorm