bmad-builder
Pass
Audited by Gen Agent Trust Hub on Jun 20, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes local shell scripts (
scaffold-skill.sh,validate-skill.sh) for automation. These scripts include robust input validation, such as regex checks on skill names, and operate within the local project structure. This is standard behavior for developer-oriented tools. - [PROMPT_INJECTION]: No malicious instructions aimed at overriding agent behavior or bypassing safety filters were found. The skill's instructions are focused on enforcing project boundaries (e.g., 'Scope Law') and ensuring technical compliance.
- [EXTERNAL_DOWNLOADS]: The skill does not perform any network operations or external downloads. All templates and validation scripts are provided as local files within the skill directory.
- [DATA_EXFILTRATION]: No patterns indicative of data exfiltration or credential harvesting were detected. The skill uses environment-specific path variables (e.g.,
${CLAUDE_PLUGIN_ROOT}) to manage local file system operations.
Audit Metadata