BMad Method

Security checks across malware telemetry and agentic risk

Overview

This is a real BMad workflow helper, but it repeatedly encourages running AI coding commands with permission checks bypassed, which deserves user review before installation.

Install only if you are comfortable with an AI coding workflow that can read and modify your project. Use it in a sandboxed or backed-up repository, review the BMad npm/GitHub package before running npx, avoid permission-bypass modes unless the workspace is trusted and tightly scoped, and review any project content before sending it to OCM tasks or spawned agents.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill instructs the agent to create external OCM tasks and populate them from BMad outputs, which extends beyond the stated purpose of a development workflow helper into third-party system manipulation. This increases the attack surface by enabling unreviewed propagation of project data and actions into another system without clear user re-consent or scope limitation.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The recovery guidance includes broad `pkill -f` commands that can terminate processes based on pattern matching, which is outside the core BMad workflow role and can affect unrelated local work. In an automated agent context, process-killing is a powerful side effect that may disrupt other sessions or services and can be abused if project paths or patterns are manipulated.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The sub-agent section expands the skill into agent/session orchestration with direct project file access and instructions to pass substantial context into spawned sessions. This materially broadens capability beyond the manifest and creates opportunities for over-privileged delegation and unnecessary data exposure to secondary agents.

Vague Triggers

Medium

Confidence: 76% confidence
Finding: The manifest description is extremely broad, covering architecture, planning, story generation, PRD creation, and full development workflows. Such broad trigger language can cause the skill to activate for many generic software requests, increasing the chance that risky instructions elsewhere in the file are applied in situations where the user did not specifically intend this powerful workflow.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The document explicitly tells users to point an AI at the local `_bmad` folder or a cloned repository so the model can read project files, but it does not warn about privacy boundaries, secrets, proprietary code, or unintended data exposure. In a development workflow skill, this is risky because users may include sensitive source code, configuration files, credentials, internal docs, or customer data in the AI tool's accessible scope without understanding what will be processed or retained.

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The upgrade guide instructs users to allow removal of the legacy `.bmad-method` folder or delete it manually, but it does not explicitly tell them to verify backups, confirm the exact target path, or ensure no needed artifacts remain there. In a developer tool context, this can lead to accidental deletion of project data or customizations during migration, especially if the user has renamed folders or stored nonstandard content in the legacy directory.

Missing User Warnings

Low

Confidence: 92% confidence
Finding: The manual cleanup section tells users to remove IDE command directories matching BMad-related paths, but it does not warn them to confirm they are deleting only legacy-generated folders. In an IDE configuration area, mistaken deletion could remove unrelated commands, custom automations, or user data if similarly named folders are present or paths are interpreted too broadly.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: Telling users to run BMad-Help 'anytime' and 'ask it anything' encourages unconstrained reliance on an agent that also inspects project state and recommends next actions. In an AI-driven development environment, this kind of open-ended framing can normalize over-broad prompts, increase the chance of prompt-scope drift, and lead users to disclose unrelated sensitive data or follow advice outside the intended BMad workflow boundary.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The skill says OCM tasks should include full story content and references, which can copy sensitive project requirements, internal details, or user-provided content into an external task system in plain language. That is a direct data disclosure risk, especially if stories contain secrets, security plans, customer data, or proprietary architecture details.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The sub-agent prompt construction instructs passing complete story text, project context, and architecture into another session. This is unnecessary bulk disclosure that can expose sensitive implementation details, business context, and internal design documents to a broader execution context than required.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal