bmad-gds

The skill's stated purpose is coherent with a structured BMAD-based game development workflow. However, the installation mechanism relies on unverifiable external code from GitHub via npx, which introduces supply‑chain risk and unreviewed execution. Data flows appear primarily local and artifact-focused, with no explicit credential handling or external API usage described. Given the combination of unverifiable dependency installation and potential expanded execution surface, the skill should be treated with elevated caution (suspicious-to-benign boundary) until the installation source can be verified or pinned to a trusted registry. Recommend using an auditable source or self-hosted registry for the core skill, and consider pinning a specific, verified release to mitigate supply-chain risk.