The Agent Skills Directory

[COMMAND_EXECUTION]: The skill explicitly instructs the agent to run a Python script during its activation phase: python3 {project-root}/_bmad/scripts/resolve_customization.py --skill {skill-root} --key agent. This relies on an external script located in the project's working directory.
[COMMAND_EXECUTION]: The activation process involves executing arbitrary commands stored in the activation_steps_prepend and activation_steps_append arrays. These arrays are populated by merging the skill's own customize.toml with files found in the project directory, such as {project-root}/_bmad/custom/{skill-name}.toml and {project-root}/_bmad/custom/{skill-name}.user.toml. This allows for arbitrary shell command execution sourced from untrusted local files.
[DATA_EXFILTRATION]: The skill is configured to read potentially sensitive files from the project directory, specifically searching for project-context.md using a glob pattern (file:{project-root}/**/project-context.md). When combined with the capability to execute shell commands (e.g., curl or wget), this poses a significant risk of data exfiltration.
[INDIRECT_PROMPT_INJECTION]: The skill exhibits a high vulnerability to indirect prompt injection. It ingests critical operational data—including personas, principles, and executable activation steps—from multiple files within the project directory (_bmad/custom/*.toml, _bmad/cis/config.yaml). There are no boundary markers or sanitization processes described to prevent malicious instructions embedded in these files from being obeyed by the agent.

bmad-cis-agent-presentation-master