bmad-advanced-elicitation
Pass
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection as it processes conversation history and project content without explicit boundary markers.
- Ingestion points: Conversation history and 'current section content' are used as input for the elicitation process.
- Boundary markers: Absent. The skill does not instruct the agent to use specific delimiters or to ignore embedded instructions within the content being refined.
- Capability inventory: The agent is authorized to read local files (
methods.csv,agent-manifest.csv) and potentially write/apply changes to documents (conditional on user approval). No network operations or arbitrary command execution capabilities were identified. - Sanitization: Absent. There is no evidence of filtering or validation for the content processed by the elicitation methods.
- [SAFE]: The skill accesses a configuration file at
{project-root}/_bmad/_config/agent-manifest.csv. This appears to be a standard operational practice for the 'bmad' framework to which the author belongs, used to establish agent context.
Audit Metadata