Skills
skills/bmad-code-org/bmad-module-creative-intelligence-suite/bmad-cis-problem-solving/Gen Agent Trust Hub

bmad-cis-problem-solving

Warn

Audited by Gen Agent Trust Hub on Apr 26, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes a Python script from a path relative to the project root ({project-root}/_bmad/scripts/resolve_customization.py) during the activation and completion phases to handle configuration merging.\n- [COMMAND_EXECUTION]: The workflow instructions require the agent to "Execute each entry" from configuration arrays such as activation_steps_prepend, activation_steps_append, and on_complete. These entries are sourced from project-level configuration files (_bmad/custom/{skill-name}.toml), which allows for arbitrary instruction execution based on local file content.\n- [DATA_EXFILTRATION]: The persistent_facts mechanism uses glob patterns (e.g., file:{project-root}/**/project-context.md) to read files from the project directory into the agent's context, potentially exposing sensitive information if the glob matches unintended files.\n- [PROMPT_INJECTION]: The skill processes untrusted data from user inputs and external files (e.g., config.yaml, .toml files) and interpolates them into templates without explicit sanitization or boundary markers, creating a surface for indirect prompt injection.\n
  • Ingestion points: user data attributes, user responses, customize.toml, and config.yaml.\n
  • Boundary markers: Absent.\n
  • Capability inventory: Shell script execution (python3) and instruction processing from variables.\n
  • Sanitization: Absent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 26, 2026, 05:56 AM