BMad Method
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent AI development workflow skill, but it encourages bypassing Claude Code permission checks and auto-approving shell prompts, which can let agents run commands or change code with too little review.
Use this skill only in a version-controlled project you are comfortable letting an AI coding agent inspect and modify. Install the BMad npm package only if you trust it, keep Claude Code permission prompts enabled unless you have a strong reason to bypass them, and review generated project-context and customization files before allowing them to guide future workflows.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could run shell commands or modify project files without normal permission prompts, increasing the chance of unintended changes, unsafe commands, or hard-to-review automation.
The skill explicitly recommends running Claude Code with permission checks bypassed for most workflows and gives a default approval response for shell command prompts. Because the workflows can implement code and run commands, this materially reduces user control over high-impact actions.
claude -p --dangerously-skip-permissions "Your prompt" ... "Non-interactive (recommended for most BMad workflows)" ... "Shell command (Y/n): → submit "y""
Avoid using `--dangerously-skip-permissions` or `bypassPermissions` by default. Keep permission prompts enabled, review each shell command, and only approve commands you understand in a clean, version-controlled project.
Installing through npx will run code from the npm package, so the safety of the installed BMad tooling depends on that package and version.
The skill relies on an npm package fetched at install time. This is disclosed and purpose-aligned, but it is still external executable code outside the reviewed instruction-only skill artifacts.
`npx bmad-method install` fetches code from npm. Only run this if you trust the BMad package. Review the package before installing.
Review the npm package and source repository before installing, consider pinning a known-good version, and run installation only in the intended project directory.
A project file can persistently steer later coding workflows, and generated context could accidentally capture sensitive implementation details if not reviewed.
Project context is automatically reused across implementation workflows. This is useful and disclosed, but any inaccurate, stale, malicious, or secret-containing project-context file can influence future agent behavior.
Every implementation workflow automatically loads `project-context.md` if it exists ... also check `**/project-context.md` anywhere in your project.
Review generated `project-context.md` files before reuse, avoid storing secrets in them, and be cautious when working in repositories with untrusted contributions.
Custom startup actions could repeatedly run checks or other workflows whenever an agent starts, which may surprise users if those actions are broad or high-impact.
The docs describe persistent startup instructions for agents. This is user-controlled customization, not hidden persistence, but it can cause recurring agent behavior beyond a single request if configured carelessly.
`critical_actions` | Appends | Define startup instructions for the agent ... "agents to perform specific actions every time they start up"
Keep `critical_actions` narrow, visible, and reversible. Do not configure startup actions that deploy, commit, delete, or run broad commands without explicit user confirmation.