bee-cli

[Skill Scanner] Natural language instruction to download and install from URL detected All findings: [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [HIGH] skill_discovery_abuse: System prompt extraction attempt (SD002) [AITech 4.3] [HIGH] skill_discovery_abuse: System prompt extraction attempt (SD002) [AITech 4.3] [HIGH] skill_discovery_abuse: System prompt extraction attempt (SD002) [AITech 4.3] This skill documentation describes a legitimate-but-highly-sensitive tool: it is consistent with its stated purpose (accessing and exporting a user's ambient audio transcripts and derived facts). I found no explicit malware or obfuscation in the documentation. Major risks are privacy exposure and over-privileged access: the CLI fetches full-utterance transcripts, supports full exports to markdown, and prescribes persistent local files and chained subagents that aggregate private data. Verify auth endpoints (https://bee.computer) and confirm installation sources before trusting the CLI; avoid automated approval of agent auth flows and restrict file export/storage. Overall: behaviorally coherent with purpose but high privacy risk — treat as suspicious until endpoints and operational controls are validated. LLM verification: The skill's functionality (accessing continuous wearable transcripts and derived facts) matches its stated purpose but exposes highly sensitive data and presents multiple supply-chain and operational risks. Key shortcomings: lack of verifiable E2E encryption details, no integrity/signature guidance for distributed binaries, default behavior encouraging large-volume data retrieval ('bee now' last 10 hours), and an agent-mediated auth flow that can be abused for credential harvesting. I recommend