Skillv1.0.2

ClawScan security

BMad Method · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 22, 2026, 6:30 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is generally coherent with being a local workflow/framework helper, but its runtime instructions encourage installing an external npm package and bypassing permission prompts — behaviors that increase risk and merit caution before use.
Guidance: This skill appears to do what it claims (a local AI-driven development framework), but it requires you to run an external npm installer and its documentation explicitly recommends suppressing permission prompts and automating prompt replies — both risky. Before installing or running the recommended commands: - Inspect the npm package before running npx: check the package repository, package.json, and any install/postinstall scripts for unexpected actions. - Avoid using flags that skip permission checks (for example, --dangerously-skip-permissions or bypassPermissions). Those bypass the runtime's safety mechanisms and make it easier for installer code to execute sensitive actions without explicit consent. - Do the initial install and eval in an isolated environment (throwaway repo, container, or VM) so you can audit created files (_bmad, _bmad-output) before integrating them into real projects. - Monitor any interactive prompts rather than auto-submitting 'yes' blindly. The SKILL.md's examples encourage auto-approval for convenience, but automatic approvals can inadvertently accept harmful operations (e.g., running arbitrary scripts, overwriting files, or pushing code). - Audit generated customization files (.customize.yaml) and any 'critical_actions' before allowing them to run persistently — these can make agents perform actions automatically on startup. - If you don't trust the npm package or the claude binary, do not install. If you need to proceed, ask for the package repository URL or package contents and have someone with npm security experience review install scripts and network behavior first. If you want, I can: (a) list concrete checks to run on the npm package.json and typical install scripts, (b) suggest an isolated container/VM install command template, or (c) scan any provided package.json or postinstall scripts for red flags.

Review Dimensions

Purpose & Capability: okName/description (BMad Method for AI-driven development) match the skill content: it orchestrates agent workflows, reads project files, and depends on a coding-agent/Claude Code runtime. Requiring Claude Code and a local claude binary is consistent with the described capabilities.
Instruction Scope: concernSKILL.md tells the agent to run an external npm installer (npx bmad-method install), scan and read the project codebase, and automatically interact with interactive prompts via process actions. Critically, it recommends using flags like --dangerously-skip-permissions or --permission-mode bypassPermissions and automating 'submit' responses to prompts. Those instructions expand the agent's authority (automatic approvals, suppressed permission checks) beyond typical 'read-and-suggest' duties and could allow unattended code execution or make it easier for malicious install scripts to run without intervention.
Install Mechanism: noteThe skill itself is instruction-only (no install spec), but it explicitly instructs users/agents to run 'npx bmad-method install' which downloads and extracts code from npm into your project directory. Using npm (npx) is a common distribution mechanism and plausible here, but it performs arbitrary code installation in the caller's filesystem — review of the npm package and its install scripts is necessary before running. The SKILL.md warns to review the package, which is good, but the installer step is high-impact and outside the platform's control.
Credentials: noteThe skill does not request environment variables or credentials in the registry metadata, which is proportionate. However, the SKILL.md recommends bypassing Claude Code permission prompts and auto-approving interactive install prompts; that effectively reduces runtime checks and could allow network access or credential use by installed code without expected oversight. No explicit env/credential demands were found in the files, but the installer could introduce such requirements after being run.
Persistence & Privilege: notealways:false and no declared config paths mean this skill does not demand platform-level persistence. However, the installer will create persistent project artifacts (/_bmad, _bmad-output, _bmad/_config etc.) and supports .customize.yaml files that can define 'critical_actions' and persistent 'memories' for agents. Those artifacts provide persistent behavior in a project repository and can cause agents to run custom startup actions — review any generated customization files to prevent unexpected persistent automation.