jb-beansloop
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill reads task descriptions and bodies via the
beansCLI (beans query) and follows their instructions to meet 'acceptance criteria'. An attacker who can influence the repository's tasks (e.g., via a Pull Request or shared task tracker) could embed malicious instructions in a bean. - Ingestion points:
SKILL.md(Next Issue Mode) usesbeans queryto fetch task titles, types, and bodies. - Boundary markers: None. The skill interpolates bean content directly into the agent's context without delimiters or instructions to ignore embedded commands.
- Capability inventory: The skill executes arbitrary shell commands for verification (
npm run build,npm run test, etc.) and uses thecommitterskill to push changes to the repository. - Sanitization: None detected.
- [Command Execution] (MEDIUM): The 'Pre-Completion Verification' section instructs the agent to run potentially untrusted commands from the repository's configuration (
npm run build,npm run lint,npm run test). If these scripts are modified by a malicious bean or collaborator, it leads to arbitrary code execution. - [External Dependencies] (LOW): The skill relies on an external
beansCLI. While not inherently malicious, the source and integrity of this tool are not verified within the skill's instructions.
Recommendations
- AI detected serious security threats
Audit Metadata