architecture-review
Pass
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted content from external architecture and requirements files without adequate protection.\n
- Ingestion points: The
architecture_fileandrequirements_fileprovided as inputs are read into the agent's context (SKILL.md).\n - Boundary markers: The skill does not use specific delimiters or instructions to treat the ingested file content as untrusted or to ignore embedded instructions.\n
- Capability inventory: The skill can execute a local Python script to perform file reads and generates a detailed analytical report based on the input.\n
- Sanitization: There is no evidence of sanitization or validation of the input file content before it is processed by the agent.\n- [COMMAND_EXECUTION]: The workflow involves executing a local Python script (
.claude/skills/bmad-commands/scripts/read_file.py) to read input files. This creates a dependency on the local environment's scripts.\n- [DATA_EXFILTRATION]: The skill allows the agent to read any file path provided via thearchitecture_fileparameter. This capability could be used to expose sensitive system or configuration files if the agent is directed to an unintended path.
Audit Metadata