main-workflow-router
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to Indirect Prompt Injection. It ingests untrusted data from user descriptions and external files (docs/bmad-workflow-status.md, docs/sprint-status.yaml) to determine which workflow to activate.\n
- Ingestion points: User prompts (product ideas) and project status files.\n
- Boundary markers: Absent. There are no delimiters or instructions to ignore commands embedded in the ingested content.\n
- Capability inventory: The skill possesses Bash, Write, and Read tools, enabling it to execute local scripts and modify the workspace based on influenced decisions.\n
- Sanitization: Absent. There is no evidence of escaping or validating external project summaries before they are processed by the router.\n- [COMMAND_EXECUTION] (HIGH): The skill automatically executes shell commands via the Bash tool to run local Python scripts (workflow_status.py, sprint_status.py, scaffold_change.py). If these scripts accept arguments derived from untrusted user input or status files, they represent a significant command injection surface, especially given the auto-invoke behavior.
Recommendations
- AI detected serious security threats
Audit Metadata