bmad-technical-research

Pass

Audited by Gen Agent Trust Hub on May 17, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes a local Python script located at {project-root}/_bmad/scripts/resolve_customization.py to handle configuration merging and workflow customization. This script is part of the agent's framework and is used to resolve settings from .toml files.
  • [EXTERNAL_DOWNLOADS]: The skill is designed to perform extensive web searches to retrieve current information on technology stacks, architecture, and implementation patterns. This search activity is the core function of the research agent.
  • [PROMPT_INJECTION]: The skill has a surface for indirect prompt injection because it ingests and synthesizes data from external web sources. To mitigate this, the workflow includes detailed 'Mandatory Execution Rules' and 'Success Metrics' for each step, instructing the agent to focus strictly on its role as a research planner and analyst.
Audit Metadata
Risk Level
SAFE
Analyzed
May 17, 2026, 07:37 AM
Security Audit — agent-trust-hub — bmad-technical-research