bmad-idea

SUSPICIOUS: the stated purpose is benign, but the installation model is a transitive third-party skill load with broader local permissions than a creativity workflow appears to need. I see no credential harvesting or exfiltration in the provided content, so this looks more like medium supply-chain/trust risk than confirmed malware.