The Agent Skills Directory

[COMMAND_EXECUTION]: The skill is configured to execute a Python script located within the user's project directory at {project-root}/_bmad/scripts/resolve_customization.py. This represents a workspace-takeover risk where a malicious repository can achieve arbitrary code execution on the user's system when the skill is activated.
[REMOTE_CODE_EXECUTION]: In Step 10, the workflow captures the output of the customization resolver and is instructed to 'follow it as the final terminal instruction'. This creates a critical path for command injection where configuration files in a repository (such as .toml or .yaml files) can specify shell commands that the agent will execute.
[PROMPT_INJECTION]: The workflow relies heavily on untrusted data from the workspace to drive its implementation logic, creating an attack surface for indirect prompt injection.
Ingestion points: The skill ingests data from several project-level files: story_file, sprint-status.yaml, config.yaml, and various customization .toml files.
Boundary markers: No specific boundary markers or instructions to ignore embedded commands are present when reading and acting upon content from the story files.
Capability inventory: The agent has permissions to read/write files, search directory structures, and execute shell commands (python3).
Sanitization: Content from the workspace is processed and used to determine next steps without validation or escaping, allowing malicious stories to potentially manipulate the agent's behavior during coding or testing tasks.

bmad-dev-story