bmad-orchestrator
Fail
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The
scripts/install.shscript andSETUP.mddocumentation instruct the user or agent to download a script fromhttps://plannotator.ai/install.shand pipe it directly to the shell (sh). This pattern allows for unauthenticated code execution from a third-party remote source, which can lead to full system compromise.\n- [EXTERNAL_DOWNLOADS]: The skill setup process involves downloading executable installation scripts and CLI tools from the external domainplannotator.ai.\n- [COMMAND_EXECUTION]: The skill relies on multiple bash scripts (init-project.sh,check-status.sh,phase-gate-review.sh,install.sh) to perform its primary functions, including environment configuration, file system manipulation, and invocation of system tools likepython3andyq.\n- [PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection as it processes untrusted documentation files created during the workflow.\n - Ingestion points: Document files such as
docs/prd-*.mdanddocs/architecture-*.mdread byscripts/phase-gate-review.sh.\n - Boundary markers: None present to delimit user-provided content from instructions.\n
- Capability inventory: Subprocess execution of the
plannotatorCLI and transmission of document content over the network.\n - Sanitization: No sanitization or validation of document content is performed before the data is read and piped to external commands.
Recommendations
- HIGH: Downloads and executes remote code from: https://plannotator.ai/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata