bmad-agent-sentinel
Warn
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The agent is explicitly instructed to create and execute its own Python or Bash scripts to handle 'deterministic tasks' such as calculations or API calls (found in
references/capability-authoring.md). This allows for the generation and execution of arbitrary shell commands and scripts on the host machine. - [REMOTE_CODE_EXECUTION]: The skill implements a 'Learned Capabilities' framework where the agent writes code to its persistent 'sanctum' which is then loaded and executed in subsequent sessions. This persistence of agent-generated executable content creates a risk of persistent compromise if the agent is manipulated into writing malicious logic.
- [DATA_EXFILTRATION]: The skill configuration allows reading project-level configuration files (
_bmad/config.yaml). However,assets/CREED-template.mdincludes explicit 'Deny Zones' prohibiting access to.envfiles, credentials, secrets, and tokens, which serves as a mitigation against the accidental exposure of sensitive credentials. - [INDIRECT_PROMPT_INJECTION]: The agent relies on reading persistent memory files and raw session logs from its 'sanctum' to maintain continuity between sessions.
- Ingestion points: Reads from
_bmad/config.yaml,MEMORY.md, and historical session logs in thesessions/directory. - Boundary markers: Absent; the templates do not define explicit delimiters or instructions to ignore instructions embedded within the processed memory files.
- Capability inventory: The agent possesses file system read/write access and the ability to author and run executable scripts.
- Sanitization: Absent; the skill does not specify any validation or sanitization logic for data retrieved from session logs or external configuration files.
Audit Metadata