The Agent Skills Directory

[REMOTE_CODE_EXECUTION] (HIGH): The skill utilizes multiple 'curl | bash' patterns to install dependencies such as the Beads CLI, UV, and RAMS. This is a high-risk pattern that executes remote scripts directly in the shell environment without verification.
[EXTERNAL_DOWNLOADS] (HIGH): The skill downloads and executes resources from several non-whitelisted domains, including rams.ai and astral.sh. While vercel.com and github.com/vercel are trusted, the other sources fall outside the trusted scope defined in the security analysis skill.
[COMMAND_EXECUTION] (MEDIUM): The framework installs 13 different shell hooks (e.g., block-orchestrator-tools.sh, enforce-sequential-dispatch.sh, validate-completion.sh) into the .claude/hooks/ directory. These scripts run automatically during the agent's lifecycle, performing git operations and executing commands based on agent tool inputs.
[DATA_EXFILTRATION] (MEDIUM): The mcp-provider-delegator component is designed to send task prompts and codebase context to external CLI providers (codex and gemini). While this is a functional requirement of the delegation feature, it facilitates the movement of local project data to external services.
[PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection. Supervisors are instructed to read and follow 'bead comments' (stored in git) which could be influenced by external contributors in a shared repository environment. The discovery agent also generates instructions based on unverified local configuration files.
Ingestion points: bd show, bd comments, package.json, and requirements.txt.
Boundary markers: Partial use of XML-style tags in templates, but lacks explicit 'ignore embedded instructions' directives for processed data.
Capability inventory: Full access to Bash, Edit, Write, and git tools across all supervisors.
Sanitization: No sanitization of external bead comments or file content before injection into sub-agent prompts was observed.

create-beads-orchestration