bmad-investigate
Pass
Audited by Gen Agent Trust Hub on Jun 20, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill is designed for issue investigation and documentation, adhering to a "read-only" philosophy regarding application code.
- [COMMAND_EXECUTION]: Uses platform-provided tools (Grep, Glob, Read, Write) for legitimate file system operations within the project scope. No arbitrary command execution via shell is present.
- [DATA_EXFILTRATION]: No network operations or access to sensitive credentials (e.g., .env, .ssh) detected. Data remains within the local project output directory.
- [PROMPT_INJECTION]: Instructions do not contain patterns for bypassing safety filters, system prompt extraction, or disregarding prior rules. While the skill ingests user-provided logs (indirect injection surface), its restricted scope as a planning tool with no implementation capability mitigates this risk.
- [REMOTE_CODE_EXECUTION]: No external packages, remote scripts, or dynamic code execution patterns were found.
Audit Metadata