The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes a Python script located at {project-root}/_bmad/scripts/resolve_customization.py during initialization and completion. Since this script resides within the user's project directory (the target of the documentation), it is an untrusted source. A malicious project could include a compromised version of this script to execute arbitrary code on the host system.
[DATA_EXFILTRATION]: The workflow explicitly targets sensitive files for analysis. According to documentation-requirements.csv, it scans for .env files, configuration directories, and authentication/security patterns (e.g., *auth*.ts, *session*.ts, *jwt*). Ingesting these secrets into the agent's context creates a significant risk of credential exposure or exfiltration.
[PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection. In deep-dive-instructions.md (Step 13b) and full-scan-instructions.md (Step 4), the agent is instructed to read 'complete file contents (all lines)' for every source file in a folder. The lack of boundary markers or instructions to disregard embedded commands means that adversarial text within a project's source code or README files can hijack the agent's behavior during the documentation process.
[COMMAND_EXECUTION]: The customization mechanism in SKILL.md (Step 1) and customize.toml allows for activation_steps_prepend and activation_steps_append. These steps are loaded from project-level TOML files and executed as commands, providing another vector for a project to trigger unauthorized actions by the agent.

bmad-document-project