bmad-spec
Warn
Audited by Gen Agent Trust Hub on May 24, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is instructed to run arbitrary shell commands defined in the configuration file
customize.toml. These hooks, includingactivation_steps_prepend,activation_steps_append, andon_complete, allow for the execution of any command the agent is capable of running.- [REMOTE_CODE_EXECUTION]: During activation, the skill executes a Python script from the project's core directory:python3 {project-root}/_bmad/scripts/resolve_customization.py. While this script belongs to the vendor's core infrastructure, it represents the execution of code outside the skill's own package.- [PROMPT_INJECTION]: The skill is designed to ingest and process a wide variety of potentially untrusted inputs (Slack threads, emails, meeting transcripts, etc.) to generate specifications. This creates a risk of indirect prompt injection where instructions embedded in the input could influence the agent's behavior or the generated output. - Ingestion points: Inputs such as brain dumps, transcripts, and emails described in
SKILL.md. - Boundary markers: The instructions do not specify any delimiters or ignore-embedded-instruction warnings for processed data.
- Capability inventory: Shell command execution, Python script execution, and file system writes.
- Sanitization: No sanitization or validation procedures are defined for the external intent inputs.
Audit Metadata