bmad-agent-pm

Pass

Audited by Gen Agent Trust Hub on May 15, 2026

Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to execute a Python script located at {project-root}/_bmad/scripts/resolve_customization.py to manage its configuration. This execution is confined to the local project environment.
  • [INDIRECT_PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection by ingesting untrusted content from the project workspace into its persistent memory.
  • Ingestion points: The agent loads facts from files matching {project-root}/**/project-context.md and configuration from {project-root}/_bmad/bmm/config.yaml.
  • Boundary markers: Absent. The instructions specify that the agent should treat loaded content as foundational context without using delimiters or safety warnings to ignore instructions within the data.
  • Capability inventory: The agent is capable of shell command execution (python3), file system access, and invoking secondary skills through a menu system.
  • Sanitization: None. Content is loaded and adopted as persistent facts verbatim without filtering or validation.
Audit Metadata
Risk Level
SAFE
Analyzed
May 15, 2026, 11:49 AM
Security Audit — agent-trust-hub — bmad-agent-pm