The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes a local Python script (_bmad/scripts/resolve_customization.py) during its activation sequence. This script is located within the project directory, allowing for dynamic code execution of project-controlled files.
[COMMAND_EXECUTION]: The configuration fields activation_steps_prepend and activation_steps_append allow for the execution of arbitrary commands or logic defined in customize.toml or its overrides. These steps are executed automatically when the skill is activated.
[DATA_EXFILTRATION]: The skill implements a file-loading feature via persistent_facts that uses glob patterns (e.g., {project-root}/**/project-context.md) to read files from the filesystem and include their contents in the LLM's context. This presents a risk of sensitive data exposure if the patterns are exploited or include unintended files.
[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted data from multiple sources including project files (persistent_facts) and configuration overrides (.toml and .yaml files) without using boundary markers or sanitization. An attacker who can modify these files could inject instructions to manipulate the agent's behavior or persona.
[COMMAND_EXECUTION]: The menu system allows the agent to execute raw prompts or other skills defined in the configuration, which could be leveraged to run unauthorized actions if the configuration files are compromised via the override mechanism.

bmad-agent-dev