bmad-synthesize
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill uses a bash script fragment to verify the existence of 11 required reverse-engineering documents in the local directory. This is a standard check for prerequisites and does not perform dangerous operations.\n- [EXTERNAL_DOWNLOADS]: The documentation mentions the
bmad-methodpackage as a suggested manual installation step for the user vianpx. This is a vendor-related resource and is not automatically downloaded or executed by the skill.\n- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface because it processes untrusted data from local markdown files. (1) Ingestion points: 11 files indocs/reverse-engineering/. (2) Boundary markers: Absent. (3) Capability inventory: File-write operations to_bmad-output/planning-artifacts/. (4) Sanitization: Absent. This risk is considered safe as the skill's logic is restricted to document transformation without high-risk execution capabilities.
Audit Metadata