The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes local shell commands and Python scripts as part of its workflow management.
It runs python3 {project-root}/_bmad/scripts/resolve_customization.py to merge configuration settings from customize.toml and user overrides.
In step-e-01-discovery.md, it executes ls -t to locate recent validation reports in the file system.
In step-e-04-complete.md, it provides an on_complete hook that allows executing a resolved command string as a terminal instruction. This is a feature that could be exploited if an attacker can modify the local .toml configuration files.
[PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection because it reads and processes untrusted user data (PRDs and validation reports) to drive the editing workflow.
Ingestion points: The skill reads the content of PRD files ({prd_file_path}) in step-e-01-discovery.md and validation reports ({validation_report_path}) in step-e-02-review.md to identify issues and plan changes.
Boundary markers: No explicit boundary markers or delimiters are used when the agent reads these files. There are no instructions to ignore potential commands embedded within the PRD content.
Capability inventory: The agent has the ability to execute shell commands (ls, python3), write to the file system, and invoke other skills (bmad-advanced-elicitation, bmad-party-mode, bmad-validate-prd).
Sanitization: No sanitization or validation of the ingested text is performed before it is processed by the agent to create the 'Deep Review' or 'Edit' plans.

bmad-edit-prd