bmad

The skill claims to orchestrate BMAD workflows with phase gating and archival via Obsidian. The footprint is only partially aligned: the described workflow is coherent, but the installation model (unverifiable GitHub-based npx install) and multi-platform bridge guidance introduce significant supply-chain and integration risks. Data flows largely stay within local vaults (Obsidian) with UI-driven review steps, but cross-platform orchestration and external UI bridges create potential exposure points. Overall, the skill is best classified as SUSPICIOUS due to unverifiable install sources and broad, potentially risky orchestration paths that could surface sensitive content or tokens if not properly constrained.

The fragment is a binary/resource bundle rather than executable source code. There is insufficient evidence of explicit malicious activity in the visible portion, but embedded/packed assets pose a non-trivial supply-chain risk. A deeper binary analysis (unpacking blobs, inspecting embedded scripts, and dynamic behavior) and provenance verification are required to rule out covert payloads. Recommend obtaining a manifest, checksums, or signed packaging and performing binary-level inspection or decryption/decompression analysis.