bmad-product-brief
Warn
Audited by Gen Agent Trust Hub on May 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a Python script located at
{project-root}/_bmad/scripts/resolve_customization.py. Because the script is stored in the project directory rather than the skill's own directory, it could be tampered with by a malicious project to execute unauthorized code when the skill is activated or finalized. - [COMMAND_EXECUTION]: The workflow is instructed to follow the
workflow.on_completesetting as a terminal instruction. Since this setting is resolved from configuration files in the project root (_bmad/custom/), it could be used to inject and execute arbitrary instructions if those files are controlled by an attacker. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it synthesizes information from various untrusted sources without adequate isolation.
- Ingestion points: Project documents are scanned by
agents/artifact-analyzer.md, web content is retrieved byagents/web-researcher.md, and user-provided files are read inSKILL.md. - Boundary markers: The prompts do not use delimiters or instructions to treat the ingested content as untrusted data.
- Capability inventory: The skill possesses capabilities to execute shell commands, read/write files, and perform web research.
- Sanitization: No sanitization or validation is applied to the data retrieved from external files or the web before it is processed by the agent.
Audit Metadata