bmad-edit-prd

Fail

Audited by Gen Agent Trust Hub on May 15, 2026

Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: In steps-e/step-e-01-discovery.md, the skill instructs the agent to execute the shell command ls -t {prd_folder_path}/validation-report-*.md. The variable {prd_folder_path} is derived from user input representing a file path. A lack of sanitization allows for command injection if a user provides a path containing shell metacharacters such as semicolons, backticks, or pipes.
  • [REMOTE_CODE_EXECUTION]: The skill frequently instructs the agent to execute local Python scripts using python3 {project-root}/_bmad/scripts/resolve_customization.py, as seen in SKILL.md and steps-e/step-e-04-complete.md. This pattern executes code based on the contents of the project directory.
  • [DATA_EXFILTRATION]: Due to the command injection vulnerability in the shell execution point, the skill is susceptible to the exfiltration of sensitive environment variables or local files to an external server.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes untrusted PRD files without employing boundary markers or sanitization logic.
  • Ingestion points: Untrusted content from PRD files is loaded in steps-e/step-e-01-discovery.md and steps-e/step-e-03-edit.md.
  • Boundary markers: The instructions do not define delimiters or provide warnings to ignore embedded instructions within the PRD content.
  • Capability inventory: The skill has the capability to execute shell commands, run Python scripts, and modify files on the host system.
  • Sanitization: There is no evidence of input validation or content filtering for the data processed by the agent.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 15, 2026, 11:50 AM
Security Audit — agent-trust-hub — bmad-edit-prd