bmad-product-brief
Warn
Audited by Gen Agent Trust Hub on May 24, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a Python script (
resolve_customization.py) during its activation phase to resolve workflow configurations. This script is located within the project's internal directory structure. - [COMMAND_EXECUTION]: The workflow allows for the execution of sequences of instructions defined in the
customize.tomlfile underactivation_steps_prepend,activation_steps_append, andon_complete. This represents a dynamic execution pattern where strings from a configuration file are executed as agent instructions. - [DATA_EXFILTRATION]: The skill implements 'external handoffs' using MCP tools to route generated artifacts (briefs, addendums) to external destinations such as Confluence, Notion, and Slack.
- [PROMPT_INJECTION]: The skill has a surface for Indirect Prompt Injection (Category 8) due to its core function of processing untrusted external data.
- Ingestion points: In the
Discoverysection ofSKILL.md, the skill invites the user to provide source materials such as memos, decks, transcripts, and Slack threads for analysis. - Boundary markers: No specific delimiters or boundary instructions are mentioned to isolate the ingested data from the agent's instructions.
- Capability inventory: The skill can execute local Python scripts, write files to the filesystem, and perform network operations via external handoff tools.
- Sanitization: There is no evidence of sanitization or filtering of the content extracted from external documents before it is processed by the agent or its subagents.
Audit Metadata