beads
Fail
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs the user to execute a shell script directly from a remote URL using
curl ... | bash. This is a highly dangerous pattern as the content of the script is retrieved from an untrusted GitHub repository (Dicklesworthstone/beads_rust) and executed with the user's current shell permissions. The URL includes a dynamic timestamp query parameter ($(date +%s)), which can be used to bypass caching and potentially serve different versions of the script. - [EXTERNAL_DOWNLOADS]: The skill provides installation methods using
cargo install --gitpointing to an untrusted repository. Additionally, thebr upgradecommand indicates the tool has built-in functionality to update itself from remote sources, maintaining a risk of remote code execution. - [COMMAND_EXECUTION]: The skill is designed to execute various shell commands to manage a local SQLite database. While the primary purpose is for issue tracking, the agent is granted the capability to interact with the filesystem.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection.
- Ingestion points: Untrusted data enters the agent context via the
.beads/beads.dbfile when calling commands likebr listorbr show. - Boundary markers: No delimiters or warnings are present to prevent the agent from obeying instructions embedded in issue data.
- Capability inventory: The agent has access to execute
brcommands and perform file operations. - Sanitization: No sanitization or escaping of external content is specified before the data is processed by the agent.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/Dicklesworthstone/beads_rust/main/install.sh?$(date - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata