bmad-agent-ux-designer
Fail
Audited by Gen Agent Trust Hub on May 24, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a Python script
resolve_customization.pylocated at{project-root}/_bmad/scripts/. This execution occurs automatically during the agent's activation process in Step 1. While the path suggests a vendor-provided script, its location in the user's project directory means it could be replaced or modified by a malicious project. - [COMMAND_EXECUTION]: The instructions in
SKILL.md(Step 2 and Step 7) direct the agent to "Execute each entry" in theactivation_steps_prependandactivation_steps_appendconfiguration arrays. This creates a high risk of arbitrary command execution if these configuration files (which include team and personal overrides) are populated with malicious instructions. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8). It ingests content from multiple external files and uses them to define its persona, persistent facts, and execution steps without any sanitization or boundary markers.
- Ingestion points: Reads
customize.toml,{project-root}/_bmad/custom/{skill-name}.toml,{project-root}/_bmad/custom/{skill-name}.user.toml,{project-root}/_bmad/bmm/config.yaml, and any file matchingproject-context.mdacross the project root. - Boundary markers: No delimiters or safety instructions are used when loading content from these files to prevent the agent from obeying instructions embedded within them.
- Capability inventory: The skill can execute shell commands via Python, read local files, and invoke other agent skills or prompts directly from configuration (Step 8).
- Sanitization: The skill does not perform any validation, escaping, or filtering of the content loaded from configuration or fact files before executing it or using it in its prompt context.
Recommendations
- AI detected serious security threats
Audit Metadata