The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes a local Python script at {project-root}/_bmad/scripts/resolve_customization.py during activation and completion to handle configuration merging and key resolution.
[COMMAND_EXECUTION]: The workflow includes a dynamic instruction execution step in Step 7, where the value of the on_complete configuration key is retrieved and followed as a terminal instruction, allowing for arbitrary agent actions based on local config content.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by loading the contents of all files matching the pattern {project-root}/**/project-context.md and treating them as 'foundational context' without sanitization.
[PROMPT_INJECTION]: Mandatory Evidence Chain for indirect injection: 1. Ingestion points: {project-root}/**/project-context.md, {project-root}/_bmad/custom/{skill-name}.toml, and user-provided context data. 2. Boundary markers: Absent; the instructions do not define delimiters or warnings to ignore embedded instructions in the ingested files. 3. Capability inventory: Subprocess execution via python3, dynamic following of instructions from configuration, and reading/writing files within the project directory. 4. Sanitization: Absent; no validation, escaping, or filtering is applied to the content of the context files or the resolved terminal instructions.

bmad-cis-design-thinking