Security Audit

PabloLION/bmad-plugin:plugins/bmad/skills/bmad-agent-tech-writer

github.com/PabloLION/bmad-plugin

AI SkillCommit 17efb6ce67d3

TRUSTED

Scanned about 14 hours ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

PabloLION/bmad-plugin:plugins/bmad/skills/bmad-agent-tech-writer received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Broad filesystem search for project context.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on April 11, 2026 (commit 17efb6ce). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

93%

Behavioral Risk Signals

Filesystem Write

1 finding

Shell Execution

1 finding

Excessive Permissions

1 finding

Security Findings1

Severity	Finding	Layer	Location
MEDIUM	Broad filesystem search for project context The skill instructs the LLM to 'Search for `/project-context.md`'. The `` wildcard implies a recursive search across potentially the entire accessible filesystem. If the skill's execution environment grants broad read access, this could lead to the skill inadvertently or maliciously reading sensitive files named `project-context.md` located in unexpected directories. While the intent is likely to find a specific project configuration, the broadness of the search pattern is a concern for excessive permissions and potential data exfiltration if a malicious `project-context.md` is placed in an accessible location. Restrict the search path for `project-context.md` to a more specific, expected location (e.g., `.` or `./project-context.md`, or a specific project root directory) rather than using a recursive wildcard across the entire filesystem. Ensure the skill's runtime environment enforces strict filesystem access controls to limit the scope of file operations.	LLM	SKILL.md:48

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/fa63d764e4f48363.svg)](https://skillshield.io/report/fa63d764e4f48363)