ClawHub
Back to skill
v0.1.0

Bmad Brainstorming Coach

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:21 AM.

Analysis

This is mostly a brainstorming assistant, but one included workflow contradicts the self-contained claim by pointing to unreviewed external BMad files that could change how the agent behaves.

GuidanceReview or fix the `_bmad` references before installing, especially if you plan to use Advanced Elicitation or Party Mode. If you do use the skill, choose a dedicated output folder and avoid providing highly sensitive context unless you are comfortable with it being saved in the brainstorming session document.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
assets/workflows/advanced-elicitation.xml
methods="{project-root}/_bmad/core/workflows/advanced-elicitation/methods.csv" agent-party="{project-root}/_bmad/_config/agent-manifest.csv" ... <action>Load and read {{methods}} and {{agent-party}}</action>

This workflow tells the agent to load method and agent-party data from external `_bmad` paths that are not included in the packaged artifacts, so behavior can depend on unreviewed local files.

User impactAdvanced elicitation or party-style behavior could be influenced by files outside this skill package, making the agent's behavior less predictable than the registry description suggests.
RecommendationReplace these references with bundled files under the skill's assets directory, or remove the advanced/party loading path until the external dependencies are explicitly declared and reviewed.
Human-Agent Trust Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
本 Skill 的所有逻辑、模板和引擎均已包含在本地 `references/` 和 `assets/` 目录下,严禁引用外部目录(如 `_bmad`)。

The skill assures users that all logic is bundled locally and that external `_bmad` directories are forbidden, but an included workflow still references `_bmad` method and agent-manifest files.

User impactA user may trust the skill as fully self-contained even though one workflow can direct the agent toward unbundled external resources.
RecommendationMake the self-contained claim true by removing all `_bmad` references, or clearly document the external dependency and what it is allowed to load.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
每遇到 `template-output` 标签,必须生成内容并保存到 `{output_folder}` 下 ... `[y] YOLO`: 自动完成当前文档。

The skill is designed to write generated brainstorming output to a user-provided folder and can continue document generation automatically when the user selects YOLO.

User impactThe agent may create or update brainstorming files in the chosen output folder, including more automatic document completion if explicitly selected.
RecommendationUse a dedicated output folder, review generated content before relying on it, and avoid YOLO mode if you want section-by-section control.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
assets/workflows/brainstorming/steps/step-01-session-setup.md
Check if `context_file` is provided ... If context file exists and is readable, load it ... Update the document frontmatter: `session_topic`, `session_goals`, `ideas_generated`, `context_file`

The workflow can read a user-provided context file and persist brainstorming state in the output document for later continuation.

User impactPrivate brainstorming topics, goals, ideas, and any supplied context may be stored in the generated session file and reused in later sessions.
RecommendationDo not provide sensitive context files unless you are comfortable with their contents influencing and being summarized in the saved brainstorming document.