The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes a Python script located at '{project-root}/_bmad/scripts/resolve_customization.py' during the activation phase. This pattern involves executing code residing in the user's project workspace rather than the skill's own directory.\n- [COMMAND_EXECUTION]: Steps 2 and 7 in 'SKILL.md' instruct the agent to "Execute each entry" in the 'activation_steps_prepend' and 'activation_steps_append' arrays. These values are retrieved from 'customize.toml' and project-level overrides, which could allow an attacker to inject and execute arbitrary shell commands via a malicious project configuration.\n- [PROMPT_INJECTION]: The skill has an indirect prompt injection surface. Ingestion points: Files located at '{project-root}/_bmad/custom/{skill-name}.toml', '{project-root}/_bmad/cis/config.yaml', and Markdown files matching the pattern '{project-root}/**/project-context.md'. Boundary markers: None identified. Capability inventory: Subprocess execution via Python, arbitrary command execution (activation steps), and file system read access. Sanitization: No sanitization or validation of the externalized configuration data is performed before it is processed or executed.

bmad-cis-agent-innovation-strategist