bmad-skill
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (LOW): The
document-projectanddev-storyworkflows ingest large amounts of untrusted content from the project codebase. Thedevagent (bmm/agents/dev.md) is specifically instructed to treat the resulting 'Story Context' as 'AUTHORITATIVE over any model priors'. Additionally, the agent is directed to execute continuously in autonomous mode without pausing for human review unless blocked. This creates a vulnerability surface where malicious instructions embedded in code comments or strings could hijack the agent's logic during implementation or testing. - Ingestion points:
bmm/workflows/1-analysis/document-project/instructions.md(filesystem scans) andbmm/agents/dev.md(code reading). - Boundary markers: The orchestration engine (
core/tasks/workflow.xml) uses XML-like delimiters for instructions, but the ingested code content is interpolated directly into the context. - Capability inventory: The agent can modify files and execute shell commands (
write_file, subprocess execution via test runners). - Sanitization: No explicit sanitization or filtering of external content (e.g., stripping instructions from comments) was observed in the orchestration logic.
- Command Execution (MEDIUM): The
dev-storyandtestarchworkflows (e.g.,ci,atdd,automate) are designed to execute arbitrary shell commands for running tests and configuring environments (e.g.,npm run test:e2e). While this is central to the skill's primary purpose, it presents a significant risk if the agent's instructions are subverted by malicious project data. - Data Exposure (LOW): The
document-projectworkflow performs an exhaustive scan of the directory structure and contents of brownfield projects. While intended for documentation, this provides the agent with broad access to all project files, including sensitive configurations likepackage.json,go.mod, and potential environment variable files. - External Downloads (LOW): The
researchandarchitectureworkflows use web search tools to gather market intelligence and verify technology versions. This involves processing data from various external websites, though typically through a controlled search interface. - Dynamic Execution (LOW): The
bmb(Builder) module generates agents and workflows from templates and providesinstaller.jstemplates meant for execution during module installation. These tools involve the creation and execution of scripts as part of the intended development toolkit.
Audit Metadata