Skills
skills/gnoviawan/agentic-marketing/bmad-agent-product-marketing-context/Gen Agent Trust Hub

bmad-agent-product-marketing-context

Pass

Audited by Gen Agent Trust Hub on Apr 3, 2026

Risk Level: SAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill contains instructions to install the agent-browser skill from Vercel Labs' official GitHub repository (https://github.com/vercel-labs/agent-browser) using the npx skills add command. This represents the acquisition of external capabilities from a trusted source.
  • [COMMAND_EXECUTION]: The instructions direct the agent to run shell commands, including npm install -g agent-browser and npx playwright install chromium, to set up research tools if they are not already available in the environment.
  • [EXTERNAL_DOWNLOADS]: Fetches and installs external software and browser dependencies from well-known and trusted repositories (Vercel Labs and Playwright/Microsoft) to facilitate marketing research.
  • [PROMPT_INJECTION]: The skill is designed to process untrusted data from external markdown files (SOSTAC strategy documents), which creates a surface for indirect prompt injection.
  • Ingestion points: Content is extracted from multiple files located in the ./brands/{brand-slug}/sostac/ directory.
  • Boundary markers: The skill reads full phase files without using explicit delimiters or markers to isolate external content from its own instructions.
  • Capability inventory: The skill has permissions to read various local project files and write positioning documents back to the filesystem.
  • Sanitization: No sanitization, validation, or filtering is applied to the content of the ingested SOSTAC files before they are processed by the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 3, 2026, 11:27 AM