bmad
Fail
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The script
scripts/install.shcontains a high-risk command pattern:curl -sSfL https://plannotator.ai/install.sh | sh. This downloads a script from an untrusted internet source and executes it directly with shell privileges, which could be exploited to compromise the host system. - [EXTERNAL_DOWNLOADS]: The skill facilitates the download of third-party tools from unverified sources, including the
plannotatorCLI and references tofabricandnpx skills addcommands targeting non-trusted repositories. - [DATA_EXFILTRATION]: In
scripts/phase-gate-review.sh, the skill pipes the entire content of project documents (PRDs, Architecture specs, and Tech Specs) to theplannotator submitcommand. This sends potentially sensitive intellectual property and technical secrets to an external server (plannotator.ai) that is not on the trusted vendor list. - [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection. Ingestion points: Document files processed by
scripts/phase-gate-review.shand piped tofabric. Boundary markers: Absent in scripts. Capability inventory: Shell execution inscripts/install.shand network data transmission inscripts/phase-gate-review.sh. Sanitization: Absent; the content of documents is passed directly to external utilities. - [COMMAND_EXECUTION]: The script
scripts/phase-gate-review.shusespython3 -cto execute a wrapper script that spawns subprocesses. This execution style increases complexity and can be used to bypass simple string-based command detection.
Recommendations
- HIGH: Downloads and executes remote code from: https://plannotator.ai/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata