Sec Vul for .claude BMAD scripts

[sirhafizho]

We ran a Polaris security scan, we found out that .claude's for BMAD was showing a vulnerabilities, a prompt injection vulnerabilities, please check it out on you guy's end since this might discourage big enterprise in adopting BMAD in our repositories. this might be small but very big security concerns for our Infra boys.

[bmadcode]

Thanks for flagging this.

After review, this is a false positive from the scanner. Here's the reasoning:

The .claude/ directory contains skills, agents, commands, and workflows that are intentionally authored as natural-language instructions for the LLM. They are prompts by design. Static analyzers like Polaris pattern-match on prompt-like text and flag anything resembling LLM instructions as "prompt injection," but that's not what the term actually means.

A real prompt injection vulnerability requires untrusted input (user-supplied data, external web content, third-party documents, etc.) flowing into a model context where it can override system instructions. Framework files authored by maintainers and shipped in the repo are not an injection vector. They're the program. If you don't trust the maintainers, that's a supply-chain trust decision (the same as installing any npm/pip package), not a prompt injection CVE.

For this to be actionable as a security issue we'd need:

• The specific file(s) and line(s) flagged
• The Polaris rule ID
• A concrete exploitation scenario showing untrusted input reaching the model context

Closing as not-a-bug. Happy to reopen if you can provide a concrete PoC with the details above.

[sirhafizho]

Hey Brian, I posted your findings, to our infra boys, and this is the reply I got They mentioned - Have you made sure that it's not just a "prompt injection" but also "command injection", because there is still a difference there - It regards to arbitrary code execution on the host system and not in the LLM itself. I can't really share with you the polaris results so much, but they give this detail here for you to also checkout on what file that was also affecting, not just .windsurf but also .claude and the other ones too.(Eg .github), which I think was all flagging under the bmad builder module, do have a check on that too as well, it's actually flagging on the security side of the enterprise. *Affected Files:* .windsurf/skills/bmad-workflow-builder/scripts/generate-html-report.py .windsurf/skills/bmad-agent-builder/scripts/generate-html-report.py .windsurf/skills/bmad-workflow-builder/scripts/generate-convert-report.py *Issue Type:* Command Injection *Description:* The application uses the subprocess package with shell=True which is vulnerable to command injection. *Related To:* CWE-78 <https://cwe.mitre.org/data/definitions/78.html> Thanks Brian

…

On Sun, 26 Apr 2026 at 11:21, Brian ***@***.***> wrote: *bmadcode* left a comment (bmad-code-org/BMAD-METHOD#2306) <#2306 (comment)> Thanks for flagging this. After review, this is a false positive from the scanner. Here's the reasoning: The .claude/ directory contains skills, agents, commands, and workflows that are intentionally authored as natural-language instructions for the LLM. They *are* prompts by design. Static analyzers like Polaris pattern-match on prompt-like text and flag anything resembling LLM instructions as "prompt injection," but that's not what the term actually means. A real prompt injection vulnerability requires *untrusted input* (user-supplied data, external web content, third-party documents, etc.) flowing into a model context where it can override system instructions. Framework files authored by maintainers and shipped in the repo are not an injection vector. They're the program. If you don't trust the maintainers, that's a supply-chain trust decision (the same as installing any npm/pip package), not a prompt injection CVE. For this to be actionable as a security issue we'd need: - The specific file(s) and line(s) flagged - The Polaris rule ID - A concrete exploitation scenario showing untrusted input reaching the model context Closing as not-a-bug. Happy to reopen if you can provide a concrete PoC with the details above. — Reply to this email directly, view it on GitHub <#2306 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ANMGWJFXOHPTEZTMLGU6LYL4XV6D7AVCNFSM6AAAAACYE3TDZSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DGMRRGE3DANRYG4> . Triage notifications, keep track of coding agent tasks and review pull requests on the go with GitHub Mobile for iOS <https://github.com/notifications/mobile/ios/ANMGWJHOXX4M2U7DXRVPXRT4XV6D7A5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTIMZSGEYTMMBWHA32M4TFMFZW63VGMF2XI2DPOKSWK5TFNZ2KUZTPN52GK4S7NFXXG> and Android <https://github.com/notifications/mobile/android/ANMGWJBSUJCJAK453ZBX5TT4XV6D7A5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTIMZSGEYTMMBWHA32M4TFMFZW63VGMF2XI2DPOKSWK5TFNZ2K4ZTPN52GK4S7MFXGI4TPNFSA>. Download it today! You are receiving this because you authored the thread.Message ID: ***@***.***>