ClawHub

BMad Method

v2.0.0

AI-driven agile development framework with 34+ workflows and 12+ domain expert agents (PM, Architect, Developer, UX, Scrum Master, etc.). Use when: (1) User...

2· 391·2 current·2 all-time
by@hansenmemo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (an AI-driven agile framework) align with the SKILL.md commands (npx bmad-method install, modules, workflows). However the registry metadata lacks a homepage or source repository, so while the requested actions are plausible for this purpose, there's insufficient provenance for the external package the skill asks you to run.
!
Instruction Scope
The runtime instructions explicitly instruct running 'npx bmad-method install' (including variants for CI). Those commands will fetch and execute remote code at runtime. The SKILL.md does not limit or verify what that code does, nor does it constrain the environment or warn about side effects. The instructions do not request unrelated files/envs, but they delegate potentially broad actions to an external package.
!
Install Mechanism
There is no formal install spec in the registry; instead the SKILL.md relies on npx to pull a package from the npm ecosystem. npx executes code downloaded from the registry which can run arbitrary install or postinstall scripts. With no declared source URL, checksum, or repo, this is a moderate-to-high risk install mechanism for an instruction-only skill.
Credentials
The skill declares no required environment variables, credentials, or config paths, which is proportionate to a documentation/command wrapper. Note: the external npm package that the SKILL.md instructs you to run could itself prompt for or read secrets, but that behavior is not declared here.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges in the metadata. It is user-invocable and allows autonomous model invocation (platform default). The main persistence risk comes from running the external installer (npx) which may write files into the project directory, but the skill metadata itself does not request persistent platform presence.
What to consider before installing
This skill is instruction-only and asks you (or the agent) to run 'npx bmad-method install', which will download and execute an npm package whose source and homepage are not provided in the registry metadata. Before installing or allowing an agent to run this: 1) Verify the npm package and publisher (look up 'bmad-method' on the npm registry and inspect the publisher and package versions). 2) Find the source repository (GitHub or other) and review the code (especially install/postinstall scripts). 3) Prefer installing in an isolated environment or disposable container/CI workspace, not on your primary machine. 4) Ask the skill author for a verified release URL, checksum, or a pinned commit/tag. 5) Do not grant this skill autonomous execution rights in sensitive contexts until provenance is confirmed. If you cannot verify the package source and contents, treat it as potentially unsafe.

Like a lobster shell, security has layers — review code before you run it.

latestvk972affggvtf2r2vzm37xzzjr581w0av

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments