Security Audit
PabloLION/bmad-plugin:plugins/bmad/skills/bmad-testarch-framework
github.com/PabloLION/bmad-pluginTrust Assessment
PabloLION/bmad-plugin:plugins/bmad/skills/bmad-testarch-framework received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include External instruction loading via workflow.md.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on April 11, 2026 (commit 17efb6ce). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | External instruction loading via workflow.md The skill's primary instruction is to 'Follow the instructions in [workflow.md](workflow.md)'. This delegates the skill's behavior to an external file (`workflow.md`) which is not provided in the current context. If `workflow.md` is not properly secured or vetted, it could contain malicious instructions, leading to prompt injection against the host LLM by directing it to perform unintended actions. Embed all necessary instructions directly within the `SKILL.md` file. If external files are absolutely necessary, ensure they are strictly controlled, immutable, and part of the trusted skill package. Avoid dynamic loading of instructions from external, unverified sources. | LLM | SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/a9b753fcfcfcfce2)
Powered by SkillShield