The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The "shard-doc.xml" task utilizes "npx @kayvan/markdown-tree-parser" to perform document splitting. This command fetches and executes code from the NPM registry at runtime, which is a vector for executing unverified external code.
[COMMAND_EXECUTION]: The workflow steps for "Party Mode" (e.g., step-02-discussion-orchestration.md and step-03-graceful-exit.md) contain instructions to execute a local shell script at ".claude/hooks/bmad-speak.sh". This script is passed arguments containing AI-generated agent responses, which could lead to command injection if an agent is manipulated into producing shell-executable strings.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it is designed to ingest and "ground" itself in project files (PRDs, architecture docs, and technical specs) using the "discover_inputs" protocol.
Ingestion points: Project documents read via "workflow.xml" and "help.md".
Boundary markers: Absent; the skill interpolates ingested text directly into the LLM context without using delimiters or system-level instructions to ignore embedded commands.
Capability inventory: File system modification ("mkdir", "cp"), network-based code execution ("npx"), and shell script hooks (".claude/hooks/bmad-speak.sh").
Sanitization: None; the framework lacks logic to escape or validate content retrieved from project files before it influences agent behavior.

bmad-core