bmad-retrospective
Pass
Audited by Gen Agent Trust Hub on May 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local Python scripts (resolve_customization.py, resolve_config.py) found in the project's _bmad/scripts directory to handle configuration logic. This is part of the 'bmad-labs' framework's standard operating procedure.\n- [DATA_EXPOSURE_AND_EXFILTRATION]: The workflow reads a variety of sensitive project documents, such as epic plans, story implementations, and project context files. All data processing occurs within the agent's local context and no external network transmission was observed.\n- [INDIRECT_PROMPT_INJECTION]: The skill processes a significant amount of external, user-provided text from story records and project documentation, creating an attack surface for instructions embedded in those files.\n
- Ingestion points: Epics, story records, and project context files from the project root.\n
- Boundary markers: None identified to delimit or protect against instructions within documentation.\n
- Capability inventory: Includes file system write access and execution of terminal commands via framework scripts.\n
- Sanitization: No explicit content validation or sanitization is mentioned.\n- [DYNAMIC_EXECUTION]: The skill provides a hook (on_complete) that allows for the execution of terminal commands defined in project configuration files. While this enables workflow extensibility, it creates a mechanism for dynamic command execution based on local config.
Audit Metadata