BMad Method
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only development-framework skill is coherent, but it asks users to run an external npm installer, so the package and version should be verified before use.
This looks like a normal instruction-only installer guide for an AI development workflow framework. Before installing, verify the bmad-method npm package and docs, prefer a pinned version, run it only in the intended project, and use the --yes CI/CD option only when you are comfortable with non-interactive file changes.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the npm package or latest version is not the intended one, running the command could install unexpected framework files or behavior into the user's development environment.
The recommended setup fetches and runs an npm package, and the default command is not pinned to a version. This is aligned with installing the framework, but it is a supply-chain point users should verify.
# Interactive installation (recommended) npx bmad-method install # Or install specific version npx bmad-method@6.0.1 install
Prefer the pinned version when possible, verify the npm package and documentation, and run the installer only in the intended project directory.
Using the non-interactive command may modify project or AI-tool files without further confirmation.
The documented CI/CD command uses --yes, which can proceed without interactive prompts. It is clearly presented as an optional user-directed setup path, but it should not be copied blindly.
npx bmad-method install --directory /path/to/project --modules bmm --tools claude-code --yes
Avoid --yes for first-time local installs, review the target directory and selected modules/tools, and inspect changes after installation.