bmad-agent-pm
Warn
Audited by Gen Agent Trust Hub on May 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a Python script located at
{project-root}/_bmad/scripts/resolve_customization.pyduring its activation process. This involves executing code from a computed path within the project environment. - [COMMAND_EXECUTION]: The activation workflow includes steps to execute arbitrary entries defined in
{agent.activation_steps_prepend}and{agent.activation_steps_append}. While empty by default, this mechanism allows for the execution of arbitrary shell commands or instructions if configuration overrides are present in the project structure. - [DATA_EXFILTRATION]: The skill implements broad file system access using glob patterns (e.g.,
file:{project-root}/**/project-context.md) to load contents as persistent facts. This ingestion of project-level data without clear boundary markers or sanitization creates an attack surface for indirect prompt injection. - Ingestion points:
{project-root}/**/project-context.mdin SKILL.md (Step 4). - Boundary markers: Absent; the content is loaded directly as foundational context.
- Capability inventory: Local Python script execution (Step 1), arbitrary command execution via activation steps (Steps 2 & 7), and invocation of other skills via the menu system.
- Sanitization: None detected for the ingested file content.
Audit Metadata