bmad-spec

Warn

Audited by Gen Agent Trust Hub on May 24, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill is instructed to run arbitrary shell commands defined in the configuration file customize.toml. These hooks, including activation_steps_prepend, activation_steps_append, and on_complete, allow for the execution of any command the agent is capable of running.- [REMOTE_CODE_EXECUTION]: During activation, the skill executes a Python script from the project's core directory: python3 {project-root}/_bmad/scripts/resolve_customization.py. While this script belongs to the vendor's core infrastructure, it represents the execution of code outside the skill's own package.- [PROMPT_INJECTION]: The skill is designed to ingest and process a wide variety of potentially untrusted inputs (Slack threads, emails, meeting transcripts, etc.) to generate specifications. This creates a risk of indirect prompt injection where instructions embedded in the input could influence the agent's behavior or the generated output.
  • Ingestion points: Inputs such as brain dumps, transcripts, and emails described in SKILL.md.
  • Boundary markers: The instructions do not specify any delimiters or ignore-embedded-instruction warnings for processed data.
  • Capability inventory: Shell command execution, Python script execution, and file system writes.
  • Sanitization: No sanitization or validation procedures are defined for the external intent inputs.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 24, 2026, 11:30 PM
Security Audit — agent-trust-hub — bmad-spec