Skills
skills/aj-geddes/claude-code-bmad-skills/bmad-tech-spec/Gen Agent Trust Hub

bmad-tech-spec

Pass

Audited by Gen Agent Trust Hub on Jun 20, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [SAFE]: Analysis of the skill instructions and the provided technical specification template revealed no evidence of malicious behavior, obfuscation, or high-risk command execution. The skill is scoped correctly for its documentation and planning purpose.
  • [PROMPT_INJECTION]: The skill manages untrusted input which represents a surface for indirect prompt injection.
  • Ingestion points: The workflow incorporates data from interactive user conversations and local project files such as bmad-output/project-context.md and bmad-output/tech-spec.md into the generated documents.
  • Boundary markers: The tech-spec.template.md uses standard placeholders without explicit delimiters or guardrail instructions to isolate untrusted input from the document structure.
  • Capability inventory: The skill is configured with tools for file manipulation (Read, Write, Edit, Glob, Grep) and information gathering (WebSearch, WebFetch).
  • Sanitization: While input is not programmatically sanitized, the skill implements a 'Validation Checklist' requiring the agent to confirm that 'No content instructs a dev agent to run tests, lint, build, or deploy', which acts as a deterrent against malicious instructions being persisted in the planning output.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 20, 2026, 12:30 PM
Security Audit — agent-trust-hub — bmad-tech-spec