Security Audit
PabloLION/bmad-plugin:plugins/bmad/skills/bmad-quick-dev-new-preview
github.com/PabloLION/bmad-pluginTrust Assessment
PabloLION/bmad-plugin:plugins/bmad/skills/bmad-quick-dev-new-preview received a trust score of 70/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Untrusted content attempts to manipulate LLM instructions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on April 11, 2026 (commit 17efb6ce). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Untrusted content attempts to manipulate LLM instructions The skill's primary instruction file (`SKILL.md`) contains a directive within the untrusted input block (`Follow the instructions in ./workflow.md.`). This is a direct prompt injection attempt where untrusted content tries to override or extend the host LLM's instructions. The LLM should never follow commands or instructions originating from untrusted sources, as this can lead to unauthorized actions or information disclosure. Remove any instructions or directives from the untrusted content block. The host LLM should only follow instructions provided by the skill developer outside of the untrusted input delimiters. Untrusted content should be treated as data, not commands. | LLM | SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/a0dddb87281f4b90)
Powered by SkillShield