beads
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill primarily functions by executing local CLI commands (
bdandgit). This behavior is consistent with the skill's intended purpose of managing a git-backed issue tracker. - [DATA_EXFILTRATION] (LOW): Commands such as
bd syncandgit pushinvolve network operations to synchronize task data with remote repositories. This is the primary function of a distributed tracker but constitutes a data transfer vector. - [PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection. It ingests and processes task titles, notes, and descriptions that could contain malicious instructions.
- Evidence for Category 8 (Indirect Prompt Injection):
- Ingestion points: Data enters the agent context through
bd show,bd list, andbd searchcommands which retrieve task content from the tracker. - Boundary markers: The skill does not implement delimiters or 'ignore' instructions to isolate task data from the agent's control logic.
- Capability inventory: The agent can execute arbitrary beads commands, modify the local file system via git, and perform network synchronization.
- Sanitization: No sanitization or validation of external task content is performed before the agent processes the information.
Audit Metadata