ClawHub

Bmad Brainstorming Coach

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real brainstorming helper, but it needs review because it includes under-disclosed local command hooks, external BMAD file reads, and persistent workspace writes.

Install only if you want a BMAD-style brainstorming workflow that may create and update local session files. Use a narrow output folder, review any existing _bmad configuration and .claude/hooks/bmad-speak.sh before using Party Mode, and avoid YOLO mode unless you are comfortable with automated document updates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (31)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs the agent to append brainstorming content, session summaries, and frontmatter state to files under an output path. That expands the skill from conversational facilitation into filesystem/state mutation, which can cause unintended persistence of sensitive user-provided ideas or cross-session data leakage if the execution environment honors these directives.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The workflow materially exceeds the stated scope of a brainstorming coach by loading a complete agent roster and initiating multi-agent orchestration. This broadens authority and behavior in a way users would not reasonably expect from the skill metadata, increasing the risk of unintended cross-skill activation, hidden delegation, and policy bypass through capability expansion.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Cross-agent roster loading, personality merging, and intelligent routing create an implicit control plane for invoking other agent behaviors not justified by this skill's declared purpose. In an adversarial or loosely governed environment, that can expose hidden prompts, broaden data access paths, and enable execution of more powerful behaviors than the user intended to authorize.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The workflow explicitly instructs the agent to invoke a local shell hook (`.claude/hooks/bmad-speak.sh`) as part of normal response generation, even though the skill’s stated purpose is brainstorming and discussion facilitation. Embedding shell execution into conversational logic creates an unnecessary execution path that could trigger local commands, expose data to scripts, or be abused if agent names or response text are passed unsafely into the shell.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file implements a 'party-mode' multi-agent farewell workflow that does not match the declared Brainstorming Coach skill purpose. This kind of hidden or undeclared capability increases the attack surface, weakens user trust, and can enable unexpected behaviors outside the advertised role of the skill.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The workflow explicitly includes a shell-hook invocation (`.claude/hooks/bmad-speak.sh`) as part of normal operation, even though a brainstorming coach does not need shell execution to produce text farewells. Embedding executable hook instructions in prompt content can lead an agent framework or operator to run local commands, creating command-execution risk and enabling unintended side effects on the host environment.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The workflow declares and implements a broad 'party mode' that orchestrates all installed BMAD agents, which materially exceeds the advertised purpose of a brainstorming coach skill. This scope mismatch is dangerous because it can invoke hidden or more privileged agent behaviors under an innocuous skill label, reducing user visibility and informed consent.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The workflow reads an agent manifest and builds a roster of all installed agents for coordinated use, which grants broad discovery and invocation capability unrelated to a simple brainstorming assistant. In context, this increases attack surface and the chance of unintended privilege aggregation, data exposure, or execution of behaviors from other agents that the user did not request.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file defines a generic workflow execution engine rather than behavior narrowly scoped to a brainstorming coach. That expands the skill's authority and reachable behaviors well beyond the manifest description, increasing the chance of unintended task execution, data access, and unsafe side effects when this skill is invoked under a benign-seeming role.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The engine can invoke arbitrary workflows, tasks, and protocols, which effectively grants broad capability escalation from within a skill advertised as a brainstorming coach. If a malicious or unexpected instruction set is loaded, the agent could chain into unrelated components that read files, write outputs, or perform other sensitive actions outside the user's reasonable expectations.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The discover_inputs protocol directs the engine to automatically find and fully load potentially large sets of project documents, even advising loading documents when relevance is uncertain. In the context of a brainstorming skill, this is overbroad data access and can unnecessarily expose sensitive business, architecture, or product information to the model without clear need or granular consent.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
YOLO mode allows the system to simulate the remainder of a user/expert discussion instead of waiting for actual confirmation. This undermines the documented collaborative approval model and can cause the agent to fabricate consent, assumptions, or content that then gets persisted or used in downstream workflow steps.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly instructs the agent to save generated content into a user-specified output folder, but it does not require an explicit confirmation step before file creation/modification or impose path restrictions. In an agent setting, this can lead to unintended writes, overwriting existing files, or writing to sensitive locations if the output folder is unsafe or attacker-controlled.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The workflow explicitly instructs the agent to always speak in a configured `communication_language`, regardless of the user's actual preference. This is a real policy/UX control issue because it can override user intent, reduce transparency, and in some contexts be used to hinder user understanding or informed consent, though it does not by itself create direct code-execution or data-exfiltration risk.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The entry encourages use of 'specific cultures' and 'indigenous approaches' as a generic brainstorming tool without requiring consent, contextual grounding, or safeguards against stereotyping and appropriation. In a creativity skill, this can normalize unsupported cultural borrowing and produce harmful, disrespectful, or fabricated outputs presented as legitimate indigenous wisdom.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill directs the agent to create directories, copy a template, and append/update a session file, but it does not require explicit user consent or a clear user-facing notice before performing those filesystem writes. In an agent environment, silent persistence can surprise users, overwrite expected state, or create unintended records, especially because paths are parameterized and the workflow encourages automatic continuation behavior.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The step instructs the agent to read an existing session file and update its frontmatter, but it does not require explicit user confirmation or even a user-facing notice before modifying the document. In an agentic environment, silent state changes can overwrite or alter user work unexpectedly, which creates integrity and consent risks even if the workflow is otherwise legitimate.

Natural-Language Policy Violations

Medium
Confidence
76% confidence
Finding
The instruction mandates that output must always use a predefined `communication_language` without mentioning user choice or override. This is not directly a security exploit, but it can reduce transparency and user control, especially if the chosen language prevents the user from understanding file actions, prompts, or consent requests.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The step includes a hard requirement that the agent must always speak in a specific style/language derived from `communication_language`, without indicating user opt-in or an override path. While not directly enabling code execution or data exfiltration, this can override user preferences, reduce transparency, and be used to shape responses in ways the user did not request, making the workflow less trustworthy and more susceptible to prompt-level coercion.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The step contains a mandatory instruction requiring the agent to always speak in a specific communication style tied to `communication_language`, without indicating that the user's explicit preference takes precedence. This can override user expectations or system-level localization behavior, reducing user control and creating prompt-steering risk in multi-step workflows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow explicitly instructs the agent to modify frontmatter and append content to a document, but it does not require a clear user-facing disclosure or confirmation immediately before making those changes. In an agent setting, silent state or file modification can violate user expectations, create integrity issues in project artifacts, and make prompt-driven actions harder to audit.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow instructs the agent to append content to a file and update frontmatter state automatically when the user selects completion, but it does not require a clear user-facing disclosure or explicit confirmation that persistent files and workflow metadata will be modified. In an agent environment with file-system capabilities, this can lead to silent state changes, unexpected data persistence, or overwrite/append behavior the user did not meaningfully consent to.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger conditions are very broad (e.g. activating on phrases like 'help me brainstorm' or 'help me ideate'), which can overlap with ordinary user conversation and cause the workflow to engage unintentionally. In an agent system, overly permissive activation can route users into a different behavior mode than intended, increasing the chance of prompt confusion, unwanted file access, or execution of downstream workflow steps without clear user consent.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
Forcing the communication language from configuration for the entire workflow without user opt-in can override the user's current intent or comprehension needs. This creates a safety and usability risk because important instructions, confirmations, or brainstorming outputs may be presented in a language the user did not actively choose, leading to misunderstanding and accidental consent to subsequent workflow actions.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The workflow instructs the agent to update frontmatter and persist state without clearly warning the user that a markdown file will be modified. Even if the change is small, silent state mutation can surprise users, create integrity issues in repository content, and normalize unauthorized file edits by the skill.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal