bmad-orchestrator
Fail
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill uses a high-risk installation pattern in
scripts/install.shandSETUP.mdthat pipes a remote shell script fromhttps://plannotator.ai/install.shdirectly intosh. This allows for arbitrary code execution from an unvetted source.\n- [DATA_EXFILTRATION]: Thescripts/phase-gate-review.shscript is designed to send the full text of project deliverables (such as PRDs and architecture specs) to the external serviceplannotator.aivia theplannotator submitcommand, potentially exposing sensitive project information.\n- [COMMAND_EXECUTION]: Several scripts, includingscripts/check-status.shandscripts/phase-gate-review.sh, usepython3 -cto execute dynamically generated Python code for YAML parsing and process management.\n- [PROMPT_INJECTION]: The skill exhibits an Indirect Prompt Injection surface by reading and processing project documents (Ingestion points:docs/*.md) without sanitization or boundary markers. This creates a risk where malicious instructions embedded in documents could manipulate the agent's behavior during later implementation phases.
Recommendations
- HIGH: Downloads and executes remote code from: https://plannotator.ai/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata