bmad-dev-auto

Pass

Audited by Gen Agent Trust Hub on Jul 4, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes a local Python script, "{project-root}/_bmad/scripts/resolve_customization.py", to handle project-specific configuration and completion logic. This is directed at a script within the project's own directory structure.
  • [PROMPT_INJECTION]: The instructions contain directive language designed to enforce strict adherence to the workflow steps, such as "CRITICAL: If a step says 'read fully and follow step-XX', you read and follow step-XX. No exceptions."
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through the various planning artifacts it processes.
  • Ingestion points: The skill reads external files such as PRDs, architecture documents, and epics to generate development context as seen in "step-01-clarify-and-route.md" and "compile-epic-context.md".
  • Boundary markers: No explicit delimiters or "ignore embedded instructions" warnings are used when reading these artifacts.
  • Capability inventory: The skill possesses the ability to execute local scripts, write files to disk, and launch subagents with the ingested context.
  • Sanitization: Content from planning artifacts is interpolated into prompts for planning and implementation without verification or sanitization.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 4, 2026, 06:17 PM
Security Audit — agent-trust-hub — bmad-dev-auto