bmad-orchestrator

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). The URL is a GitHub repository from an unknown user and the skill prompt tells you to install/run it via npx (which executes code from the repo), so while not an obvious malicious binary it is a potentially risky/untrusted source for executing code.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill programmatically submits phase documents to the third-party plannotator service (plannotator.ai) and explicitly opens the plannotator review UI for external stakeholders to annotate/approve (see SKILL.md and scripts/phase-gate-review.sh), and those reviewer annotations/approval results are read/used to update workflow status and drive phase transitions—exposing the agent to untrusted, user-generated content that can influence actions.