The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses Python scripts to perform local file system operations such as directory creation (mkdir -p), file copying (shutil.copytree), and directory removal (shutil.rmtree). These actions are part of the core functionality for scaffolding and cleaning up module infrastructure. The cleanup script (cleanup-legacy.py) includes safety verification checks to ensure files are backed up before removal.\n- [DATA_EXPOSURE]: The skill manages project configuration in _bmad/config.yaml and _bmad/config.user.yaml. It follows best practices by separating shared project configuration from personal user settings (config.user.yaml), which are intended to be excluded from version control.\n- [REMOTE_CODE_EXECUTION]: Static analysis flagged the use of subprocess.run() in test scripts (test-scaffold-setup-skill.py, etc.). Review of these files confirms they are used only for running the skill's own local Python scripts during development testing and do not execute untrusted remote code.\n- [SAFE]: The skill utilizes the pyyaml library for configuration parsing. The scripts correctly use yaml.safe_load() to prevent unsafe deserialization vulnerabilities.\n- [SAFE]: The skill's instructions in references/create-module.md involve reading existing SKILL.md files to understand their capabilities. While this represents a surface for indirect prompt injection, the skill mitigates risk by using structured data extraction and safe parsing methods rather than direct prompt interpolation of raw text into sensitive commands.

bmad-module-builder