beads
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill utilizes a 'resumability' pattern where implementation guides and code snippets are stored in task fields (e.g., 'notes', 'design'). This data is intended to be read and followed by the agent to restore context in subsequent sessions. \n
- Ingestion points: Data is ingested from the Git-backed storage via 'bd show' and 'bd ready' commands. \n
- Boundary markers: The skill suggests using visual headers like 'IMPLEMENTATION GUIDE', but lacks strict technical delimiters to prevent the LLM from confusing stored notes with system instructions. \n
- Capability inventory: The allowed tools include 'Read' and 'Bash(bd:*)'. Instructions found in task notes could influence the use of these or other available tools in the agent's environment. \n
- Sanitization: No evidence of sanitization for the task data stored in the beads database.\n- Command Execution (SAFE): Bash usage is strictly limited to the 'bd' CLI tool using a prefix match ('bd:*'), following the principle of least privilege.\n- External Dependency (SAFE): The skill requires the 'bd' CLI tool. No automated or hidden installation scripts (such as curl|bash) were found within the skill files.
Audit Metadata