bmad-prfaq
Pass
Audited by Gen Agent Trust Hub on May 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill performs shell command execution using
python3to run a customization resolver script located at{project-root}/_bmad/scripts/resolve_customization.py. This occurs during the activation phase and upon completion of the workflow. - [DATA_EXFILTRATION]: The
Artifact Analyzeragent is specifically designed to scan local directories and project files to extract content. While intended for research, this capability allows the agent to read arbitrary files within the scoped project paths and user-provided paths. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it ingests untrusted data from both the local file system and web search results.
- Ingestion points: External data enters the context via
agents/artifact-analyzer.md(local project documents) andagents/web-researcher.md(web search results). - Boundary markers: The skill lacks explicit instructions or delimiters to isolate ingested data from the agent's internal instruction set, increasing the risk that embedded commands in those sources could be obeyed.
- Capability inventory: The agent has the ability to execute shell commands (
python3), perform web searches, and write files to the local system. - Sanitization: There is no evidence of sanitization, filtering, or validation of the content extracted from external documents or web pages before it is used to influence the 'coaching' logic or document generation.
Audit Metadata