bmad-party-mode
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions in
steps/step-02-discussion-orchestration.mdandsteps/step-03-graceful-exit.mddirect the agent to execute a local bash script at.claude/hooks/bmad-speak.sh. This script is passed the agent's name and its generated response as arguments. Using a shell to process LLM-generated strings is a risky pattern that could lead to command injection if the underlying script does not properly sanitize its inputs. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its data ingestion process. In
steps/step-01-agent-loading.md, it parses a manifest file (_bmad/_config/agent-manifest.csv) to extract agent identities, roles, and communication styles. These values are then interpolated into the conversation orchestration logic. - Ingestion points: The skill reads
agent-manifest.csvand individual agent files referenced by the manifest insteps/step-01-agent-loading.md. - Boundary markers: There are no explicit delimiters or instructions provided to the agent to ignore potentially malicious content embedded within the manifest data.
- Capability inventory: The skill has the capability to execute shell commands via the
.claude/hooks/bmad-speak.shscript documented insteps/step-02-discussion-orchestration.mdandsteps/step-03-graceful-exit.md. - Sanitization: No sanitization or validation of the input CSV or agent files is mentioned in the workflow.
Audit Metadata