langchain-bmad

SUSPICIOUS: The skill is mostly coherent as a framework/workflow guide and uses apparently legitimate install sources, but it instructs transitive installation of other skills—including a wildcard load—which expands agent trust beyond this skill’s own scope. No credential harvesting, exfiltration, or deceptive data flow is evident, so this is not malicious; the main concern is medium supply-chain/transitive-trust risk.