Skills
skills/adolfoaranaes12/bmad-enhanced/bmad-commands/Gen Agent Trust Hub

bmad-commands

Warn

Audited by Gen Agent Trust Hub on Feb 23, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses subprocess.run extensively across multiple files (jest_adapter.py, pytest_adapter.py, junit_adapter.py, cargo_adapter.py, go_test_adapter.py, gtest_adapter.py) to execute system commands such as npm, pytest, mvn, gradle, ctest, cargo, and go. While these are standard development utilities, the scripts use directory paths and parameters directly from inputs, which could be exploited to run commands in unintended directories.
  • [COMMAND_EXECUTION]: scripts/framework_registry.py implements a dynamic loading mechanism using importlib.import_module and getattr. It loads adapter classes based on paths defined in the .claude/config.yaml file. An attacker capable of modifying this local configuration file could achieve arbitrary code execution by directing the registry to load and instantiate malicious Python modules.
  • [DATA_EXFILTRATION]: The scripts/read_file.py utility allows the agent to read the contents of any file on the file system provided via the --path argument. Although intended for workspace operations, this provides a broad primitive for data exposure that could be used to access sensitive files (e.g., SSH keys, environment variables) if the agent is subjected to prompt injection.
  • [COMMAND_EXECUTION]: The scripts/deploy-to-project.sh and scripts/health-check.sh scripts perform various file system operations including recursive copying and executing Python scripts. These scripts lack strict path sanitization, relying on the environment to constrain their behavior.
  • [COMMAND_EXECUTION]: The skill provides an indirect prompt injection surface through multiple ingestion points:
  • Ingestion points: scripts/read_file.py (arbitrary file content), scripts/run_tests.py (stdout/stderr from test runners), and scripts/monitor-skills.py (parsing SKILL.md files).
  • Boundary markers: Absent. Content is returned to the agent without explicit delimiters or instructions to ignore embedded commands.
  • Capability inventory: The skill possesses significant capabilities including arbitrary file reading (read_file.py), file writing (extract_adrs.py, generate_architecture_diagram.py), and system command execution (run_tests.py via adapters).
  • Sanitization: Absent. Data is processed via regex or JSON parsing and returned directly, providing no defense against malicious instructions embedded in the processed data.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 23, 2026, 08:44 AM