Security Audit
PabloLION/bmad-plugin:plugins/bmad/skills/bmad-party-mode
github.com/PabloLION/bmad-pluginTrust Assessment
PabloLION/bmad-plugin:plugins/bmad/skills/bmad-party-mode received a trust score of 72/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Prompt injection via external instruction loading.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on April 11, 2026 (commit 17efb6ce). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Prompt injection via external instruction loading The skill's primary instruction in `SKILL.md` directs the host LLM to 'Follow the instructions in ./workflow.md.'. This is a prompt injection attempt, as untrusted content is dictating the LLM's behavior by instructing it to load and execute further instructions from an external file (`workflow.md`). This allows the skill to potentially bypass direct scrutiny of its main entry point and introduce arbitrary instructions from another file, which could contain malicious directives. Avoid direct instructions to the host LLM within untrusted skill content. All instructions should be explicitly defined within the skill's manifest or directly in the primary skill file, without delegating to external, potentially unanalyzed, files. If external files are necessary, they should be explicitly declared and their content should also be subject to security analysis. | LLM | SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/86f6543db42756fa)
Powered by SkillShield