The Agent Skills Directory

[COMMAND_EXECUTION]: The skill makes extensive use of system shell commands to manage git worktrees and tmux sessions for workflow automation.
[COMMAND_EXECUTION]: In Workflows/Execute.md, the agent utilizes tmux send-keys to programmatically inject and execute commands into background terminal panes, which involves dynamic command assembly.
[COMMAND_EXECUTION]: The skill explicitly directs the use of the --dangerously-skip-permissions flag when invoking the claude CLI. This action intentionally bypasses the security model of the underlying tool, permitting it to perform file modifications or command executions without explicit user authorization or confirmation.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because the Workflows/Analyze.md workflow ingests and processes untrusted data from local project files, such as epics.md and story-specific markdown files. Evidence chain: (1) Ingestion points: Analyze.md reads multiple markdown files from the project repository; (2) Boundary markers: None are defined to separate instructions from data; (3) Capability inventory: Execute.md has the capability to trigger subprocess execution and file writes via the automated sub-agent; (4) Sanitization: No sanitization or validation of the ingested content is performed. Maliciously crafted content in these project files could influence the orchestration logic to execute unintended or harmful commands.
[COMMAND_EXECUTION]: The skill performs local network requests via curl to localhost:8888 for notifications, which represents a telemetry and command execution surface if an unauthorized service is listening on that port.

BmadOrchestrate