Skills
skills/itechmeat/llm-code/beads/Gen Agent Trust Hub

beads

Fail

Audited by Gen Agent Trust Hub on Apr 21, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill's documentation directs users to install the bd CLI tool via Homebrew from a third-party tap (brew install steveyegge/beads/bd) or by executing an installation script directly from a GitHub repository (https://github.com/steveyegge/beads). Neither the author nor the repository is included in the recognized trusted organization list.
  • [COMMAND_EXECUTION]: The skill relies on the execution of the bd binary for core functions, including database initialization (bd init), task management (bd create, bd update), and environment diagnostics (bd doctor). It also includes a Python script (scripts/bd_generate_markdown_plan.py) intended for local execution to facilitate bulk task creation.
  • [DATA_EXFILTRATION]: The skill facilitates the transfer of task and project data to various remote services. Commands such as bd sync, bd dolt push, and specific integration syncs for GitLab, GitHub, Linear, and Azure DevOps transmit local database state to external servers. While these targets are well-known technology services, the CLI tool acts as a channel for potentially sensitive development metadata.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its processing of data from untrusted external sources and integrations.
  • Ingestion points: Data enters the system context through bd import of JSONL files, synchronization with external trackers (GitHub, GitLab, Jira, Azure DevOps), and the --design-file argument which reads external Markdown files into the task creation process.
  • Boundary markers: There is no evidence of the use of delimiters or specific instructions to the agent to ignore embedded commands or malicious patterns within the imported issue content.
  • Capability inventory: The bd CLI provides capabilities to perform network operations, write to the local file system, and modify task data based on retrieved content.
  • Sanitization: The skill does not mention or implement validation or sanitization mechanisms for the requirements, design plans, or comments pulled from integrated external trackers before they are processed by the AI agent.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 21, 2026, 12:21 AM