Skills
skills/julianobarbosa/claude-code-skills/bmad-orchestrate/Gen Agent Trust Hub

bmad-orchestrate

Fail

Audited by Gen Agent Trust Hub on May 13, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to run the claude CLI with the --dangerously-skip-permissions flag in Workflows/Execute.md. This explicitly bypasses the environment's security model, allowing the execution of potentially destructive commands without user review or explicit consent.
  • [COMMAND_EXECUTION]: In Workflows/Execute.md, the skill uses tmux to launch processes in background panes. This method of execution reduces visibility into the agent's background activities, and when combined with the security bypass flag, poses a significant risk of undetected malicious behavior.
  • [EXTERNAL_DOWNLOADS]: The skill initiates network requests via curl to http://localhost:8888/notify across multiple files including SKILL.md and all workflow definitions. This creates an unauthenticated external dependency on a local network service for notification purposes.
  • [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection due to its reliance on untrusted external data to define execution paths.
  • Ingestion points: The Workflows/Analyze.md logic reads sprint-status.yaml, epics.md, and various story-level markdown files to build dependency graphs and plan parallel execution phases.
  • Boundary markers: Absent. The skill lacks delimiters or specific instructions for the agent to distinguish between its own logic and data found in the analyzed project files.
  • Capability inventory: The skill has access to powerful capabilities including git repository manipulation (git worktree), process orchestration (tmux), and the ability to spawn sub-agents with security bypasses enabled.
  • Sanitization: No validation or sanitization is performed on the content of the ingested files before they influence the formulated shell commands and orchestration logic.
  • [COMMAND_EXECUTION]: The SKILL.md file directs the agent to load and apply customizations from ~/.claude/skills/PAI/USER/SKILLCUSTOMIZATIONS/BmadOrchestrate/. Loading configuration or resources from user-writable paths can be exploited to override skill logic with malicious instructions via the local file system.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 13, 2026, 01:13 PM
Security Audit — agent-trust-hub — bmad-orchestrate