jb-beans
Warn
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Unverifiable Dependencies & Remote Code Execution] (MEDIUM): The skill documentation instructs users to install an external binary ('beans') from an untrusted source ('hmans/beans') via Homebrew or Go. This repository does not belong to the trusted organizations or repositories defined in the safety scope.\n- [COMMAND_EXECUTION] (MEDIUM): The integrated OpenCode plugin ('beans-prime.ts') executes the 'beans' CLI using shell commands. This creates a risk where a compromised or malicious version of the tool could execute unauthorized code on the host system during normal agent operation.\n- [Prompt Injection] (LOW): The 'SKILL.md' uses directive language ('IMPORTANT: before you do anything else...') designed to influence the agent's execution priority and override its default behavior.\n- [Indirect Prompt Injection] (LOW): The skill provides a plugin that injects the output of the 'beans prime' command (which reads local markdown files) into the AI's system prompt.\n
- Ingestion points: Markdown files stored in the project's '.beans/' directory.\n
- Boundary markers: Absent. The plugin appends raw CLI output to the 'system' and 'context' prompt arrays without delimiters or warnings to the model.\n
- Capability inventory: The skill allows for local file system access and shell command execution via the CLI wrapper.\n
- Sanitization: Absent. There is no evidence of content escaping, validation, or filtering before the data is promoted to the system prompt context.
Audit Metadata