bmad
Fail
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The
scripts/install.shfile contains the commandcurl -sSfL https://plannotator.ai/install.sh | sh. This is a highly insecure practice that executes a remote script directly in the shell without any verification of its contents or the identity of the server, allowing for full system compromise if the remote script or server is malicious. - [EXTERNAL_DOWNLOADS]: The skill relies on external components hosted at
plannotator.ai, a domain that is not included in the trusted vendors list or recognized as a well-known, established technology provider. This increases the risk of supply chain attacks. - [COMMAND_EXECUTION]: The skill requires the
Bashtool and executes multiple scripts (such asinstall.sh,init-project.sh, andphase-gate-review.sh) that perform file system modifications, directory creation, and network interactions. These scripts are granted broad permissions to manage the local environment. - [DATA_EXFILTRATION]: The
scripts/phase-gate-review.shscript is designed to read the content of sensitive project files, including Product Requirements Documents (PRD) and Architecture specifications, and submit them to a remote API atplannotator.ai. This results in the transfer of proprietary or sensitive project design data to a third-party service. - [PROMPT_INJECTION]: The skill ingests and processes untrusted data from local markdown files (Phase documents) through scripts like
phase-gate-review.sh. Because there are no explicit boundary markers or sanitization logic to separate document content from agent instructions, the skill is vulnerable to indirect prompt injection if those documents contain malicious instructions.
Recommendations
- HIGH: Downloads and executes remote code from: https://plannotator.ai/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata