The Agent Skills Directory

[COMMAND_EXECUTION]: In SKILL.md, the activation process executes a local script using the command python3 {project-root}/_bmad/scripts/resolve_customization.py. Since {project-root} refers to the project currently being documented by the user, this allows an attacker to gain remote code execution by including a malicious script at that path in a repository. When the agent is asked to document the repository, it will execute the script.
[PROMPT_INJECTION]: The skill implements an 'Exhaustive Scan' and 'Deep-Dive' mode (detailed in workflows/full-scan-instructions.md and workflows/deep-dive-instructions.md) that explicitly requires the agent to read every line of every source file in the project. This establishes a significant attack surface for indirect prompt injection. Malicious instructions embedded in comments or strings within the project's codebase could be used to manipulate the agent's behavior during the documentation process.
Ingestion points: The agent reads all source files recursively from the project root (Step 13b in deep-dive-instructions.md and Step 4 in full-scan-instructions.md).
Boundary markers: No specific boundary markers or 'ignore' instructions are used when processing the source code content.
Capability inventory: The agent has the capability to execute shell commands (python3), write files to the project directory, and read all files in the project.
Sanitization: There is no evidence of sanitization or filtering of the content read from source files before it is processed by the agent's logic.
[DATA_EXPOSURE]: The workflow involves reading extensive amounts of project data, including configurations and source code. While the skill's primary purpose is documentation, this level of access poses a risk if the agent inadvertently includes sensitive information (such as credentials, API keys, or proprietary logic) in the generated markdown artifacts, which are then written to disk.

bmad-document-project