bkd
Pass
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local shell commands including
git(for branch management, merging, and stashing),curl(for API interaction),jq(for data processing), and project-specific build/test commands such asnpm run buildandnpm run testduring post-merge verification.\n- [DATA_EXFILTRATION]: Project metadata, issue descriptions, implementation details, and git diff information are sent to the external server defined by the$BKD_URLenvironment variable. Users must ensure this URL points to a trusted BKD instance to prevent sensitive project data from being sent to a malicious endpoint.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its processing of untrusted external data.\n - Ingestion points: The agent fetches and processes logs and completion reports from the BKD server (e.g., via
/logs/filterand/follow-upendpoints as seen inreferences/orchestration.mdandreferences/quality-review.md).\n - Boundary markers: There are no explicit delimiters or instructions provided to the agent to treat the fetched logs as untrusted data or to ignore any embedded commands within them.\n
- Capability inventory: The agent has the capability to modify the local filesystem, perform git operations, and execute project build scripts, which could be exploited if malicious instructions are injected into the BKD issue logs.\n
- Sanitization: The skill does not implement validation or sanitization of the content retrieved from the BKD API before it is incorporated into the agent's context.
Audit Metadata