bmad-edit-prd
Fail
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: In
steps-e/step-e-01-discovery.md, the skill instructs the agent to execute the shell commandls -t {prd_folder_path}/validation-report-*.md. The variable{prd_folder_path}is derived from user input representing a file path. A lack of sanitization allows for command injection if a user provides a path containing shell metacharacters such as semicolons, backticks, or pipes. - [REMOTE_CODE_EXECUTION]: The skill frequently instructs the agent to execute local Python scripts using
python3 {project-root}/_bmad/scripts/resolve_customization.py, as seen inSKILL.mdandsteps-e/step-e-04-complete.md. This pattern executes code based on the contents of the project directory. - [DATA_EXFILTRATION]: Due to the command injection vulnerability in the shell execution point, the skill is susceptible to the exfiltration of sensitive environment variables or local files to an external server.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes untrusted PRD files without employing boundary markers or sanitization logic.
- Ingestion points: Untrusted content from PRD files is loaded in
steps-e/step-e-01-discovery.mdandsteps-e/step-e-03-edit.md. - Boundary markers: The instructions do not define delimiters or provide warnings to ignore embedded instructions within the PRD content.
- Capability inventory: The skill has the capability to execute shell commands, run Python scripts, and modify files on the host system.
- Sanitization: There is no evidence of input validation or content filtering for the data processed by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata