bmad-customize
Pass
Audited by Gen Agent Trust Hub on May 10, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes local Python scripts for core functionality. It executes
list_customizable_skills.pyto identify installed skills that support customization andresolve_customization.pyto verify that written overrides are correctly applied. These executions are restricted to the local environment and the skill's own project structure. - [DATA_EXPOSURE]: The discovery script reads metadata (descriptions) and configuration definitions (
customize.toml) from other installed BMad skills to present customization options to the user. This is an intended feature and does not involve exfiltrating data to external services. - [SAFE]: The skill's test suite includes calls to
subprocess.runto verify the command-line interface of the utility scripts. These calls are part of standard unit testing procedures and are executed securely without using shell interpolation.
Audit Metadata