bmad-create-story
Pass
Audited by Gen Agent Trust Hub on May 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local Python script located at
{project-root}/_bmad/scripts/resolve_customization.pyto handle configuration merging and customization logic during activation and completion. - [COMMAND_EXECUTION]: In Step 6, the workflow resolves an instruction from the
workflow.on_completeconfiguration key and directs the agent to execute it as a final terminal instruction. This allows for automated post-processing tasks defined in local configuration files. - [EXTERNAL_DOWNLOADS]: Step 4 of the workflow performs web research to identify the latest stable versions, API changes, and security patches for libraries and frameworks specified in the project architecture.
- [PROMPT_INJECTION]: The
checklist.mdfile contains forceful and competitive instructional language (e.g., 'CRITICAL MISSION', 'DISASTER PREVENTION', 'ULTIMATE story context') designed to influence the agent's behavior during quality validation. This is part of the skill's internal logic for ensuring rigorous output and does not represent an external bypass attempt. - [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted external documentation to generate implementation stories.
- Ingestion points: Reads various project files matching patterns for PRDs, architecture documents, UX designs, and epics (e.g.,
{planning_artifacts}/*prd*.md). - Boundary markers: The skill does not employ explicit delimiters or system-level instructions to isolate the content of ingested files from the agent's core instructions.
- Capability inventory: The skill possesses the ability to execute local scripts, perform web research, and write files to the project directory.
- Sanitization: No explicit sanitization or validation of the content within the ingested project files was detected before processing.
Audit Metadata