bmad-idea

SUSPICIOUS: the skill’s stated purpose is benign and I found no credential harvesting or exfiltration behavior, but its footprint includes third-party skill installation from an unpinned GitHub repo plus explicit handoff to other skills, creating medium supply-chain and transitive-trust risk disproportionate to a creative ideation helper. Risk is from how the skill is distributed and extended, not from confirmed malicious behavior.