The Agent Skills Directory

EXTERNAL_DOWNLOADS & REMOTE_CODE_EXECUTION (HIGH): The README.md file explicitly recommends installing the 'beads' CLI by piping a remote shell script directly into bash: curl -fsSL https://raw.githubusercontent.com/steveyegge/beads/main/scripts/install.sh | bash.
Evidence: This source (steveyegge) is not part of the defined Trusted GitHub Organizations. Piping unverified remote content to a shell is a critical security risk as the script can be modified by the author or an attacker at any time to include malicious commands.
COMMAND_EXECUTION (MEDIUM): The scripts/setup-workflow.sh and scripts/switch-context.sh scripts use the PROJECT_NAME variable to construct file paths and shell commands without sanitization.
Evidence: mkdir -p ~/worktrees/${PROJECT_NAME}. If an attacker or a malicious prompt influences the project name to include directory traversal (e.g., ../../target), it could allow file system manipulation outside of the intended worktrees directory. Additionally, the sed command in setup-workflow.sh is vulnerable to delimiter injection if the project name contains slashes.
INDIRECT PROMPT INJECTION (LOW): The skill processes project-specific data which could be manipulated by a malicious repository to influence the agent.
Ingestion points: scripts/standup-report.sh reads data from .beads/beads.jsonl and passes it to jq and bv (beads viewer) for display.
Boundary markers: Absent. The standup report displays data from the external file directly into the agent's context.
Capability inventory: The skill can execute git clone, tmux session management, and file creation via scripts/setup-workflow.sh.
Sanitization: No sanitization or validation is performed on the contents of the beads.jsonl file before processing.

worktree-beads-tmux-orchestrator