execution-tracking
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill attempts to install the external
beads(bd) CLI tool usingbrew install beads(macOS) orcargo install beads(Linux) if it is missing from the system. These downloads originate from well-known package registries. - [COMMAND_EXECUTION]: The skill extensively executes the
bdCLI to perform task management operations. It also executes a local Python script,scripts/ingest-plan.py, to parse plan files and register them in the task database. - [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection by processing external data into the agent's context.
- Ingestion points: The script
scripts/ingest-plan.pyreads content from Markdown plan files, specifically looking for### Task N:headers and task bodies. - Boundary markers: The script uses structural headers to identify tasks but lacks explicit boundary instructions or 'ignore' markers to prevent the agent from obeying instructions embedded within the task descriptions.
- Capability inventory: The skill can create, update, and link tasks in the
bdsystem based on the ingested content, effectively allowing external data to influence the agent's task list. - Sanitization: While the script avoids shell injection by using list-based arguments in
subprocess.runand truncates task bodies to 4000 characters, it does not perform semantic sanitization or validation of the input content before it is stored in the task tracker.
Audit Metadata