beans
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Remote Code Execution (HIGH): The skill mandates installation of the 'beans' binary from an unverified third-party repository (hmans/beans). This binary is executed by the agent to manage tasks and generate context, presenting a significant supply chain risk.
- Indirect Prompt Injection (HIGH): The 'beans-prime.ts' plugin creates a critical vulnerability surface by injecting unverified file content directly into the agent's system prompt. \n
- Ingestion points: Markdown files located in the '.beans/' directory are read and aggregated via the 'beans prime' command.\n
- Boundary markers: Absent. The plugin takes raw command output and pushes it directly into the 'output.system' and 'output.context' arrays without delimiters or warnings.\n
- Capability inventory: The agent is granted permission to create and modify files (via 'beans create' and 'beans update') and is encouraged to perform git commits based on bean content.\n
- Sanitization: None. There is no filtering or validation of the content within the bean files before they are presented as authoritative context to the AI.\n- Prompt Injection (MEDIUM): The skill instructions use 'IMPORTANT' and 'CRITICAL' overrides to force the agent to prioritize tool output over its base training. Evidence: 'IMPORTANT: before you do anything else, run the beans prime command and heed its output'. This elevates the risk of the indirect injection findings.
- Command Execution (MEDIUM): The OpenCode plugin executes arbitrary shell commands ('which beans', 'test -f', 'beans prime') using a shell wrapper, which could be exploited if path variables or directory names are manipulated.
Recommendations
- AI detected serious security threats
Audit Metadata