bad
Warn
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill instructs subagents to use 'yolo mode' and 'Auto-approve all tool calls' to bypass user confirmation prompts for tool execution.
- [COMMAND_EXECUTION]: The skill modifies the agent's configuration file ('.claude/settings.local.json') to install persistent 'PostToolUse' and 'statusLine' hooks that execute shell commands automatically.
- [DATA_EXFILTRATION]: An installed activity log hook records tool usage details, including potentially sensitive inputs, to files located in the user's home directory ('~/.claude/projects/...').
- [PROMPT_INJECTION]: The skill processes data from GitHub PRs and local files and passes it to autonomous subagents without using boundary markers or sanitization, creating an attack surface for indirect prompt injection.
- Ingestion points: External GitHub PR content and local project files ('_bmad-output/planning-artifacts/epics.md', '_bmad-output/implementation-artifacts/sprint-status.yaml').
- Boundary markers: Absent from prompts involving untrusted data.
- Capability inventory: Use of the 'Agent' tool to spawn subagents with 'Bash' and 'FileWrite' capabilities.
- Sanitization: No evidence of escaping or validation for external data before prompt interpolation.
- [EXTERNAL_DOWNLOADS]: Fetches PR, issue, and status information from GitHub's API using curl for automated pipeline updates.
Audit Metadata