beads
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on the external 'bd' CLI tool for issue tracking. Tool usage is declared as restricted to commands prefixed with 'bd:', which limits the risk of arbitrary command execution. However, supplemental documentation in 'TROUBLESHOOTING.md' and 'ASYNC_GATES.md' also references tools like 'pkill' and 'gh', which an agent might attempt to use outside the declared scope.
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by instructing the agent to ingest and act upon data from issue descriptions and notes.
- Ingestion points: Untrusted data from the issue tracker enters the context via output from 'bd show', 'bd ready', and 'bd list'.
- Boundary markers: No explicit delimiters or instructions to ignore embedded instructions are utilized when reading issue content.
- Capability inventory: The agent possesses 'Bash(bd:*)' capabilities and potentially other environment tools (e.g., Python or generic Bash) which could be targeted.
- Sanitization: The skill does not perform or suggest any sanitization of retrieved text before the agent interprets it.
Audit Metadata