bd-workflow
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill instructs the installation of 'beads-mcp' via pip. This is an unverified external dependency not originating from a trusted organization or repository list.
- [COMMAND_EXECUTION] (HIGH): The 'Land the Plane' workflow uses extremely forceful, mandatory language ('NON-NEGOTIABLE', 'MUST', 'NEVER STOP') to compel the agent into executing a sequence of shell commands including 'git push' and 'bd sync'. This pattern can be used to override agent reasoning and ensure the execution of potentially malicious state changes.
- [PROMPT_INJECTION] (HIGH): The skill exhibits a significant Indirect Prompt Injection surface (Category 8). It ingests untrusted data from '.beads/issues.jsonl' via the 'bd ready' command and processes this data to determine its next actions. Lacking boundary markers or sanitization, an attacker can commit malicious instructions into issue titles or notes that the agent may interpret as valid commands.
- [REMOTE_CODE_EXECUTION] (HIGH): The skill directs the agent to modify its host environment configuration ('~/.config/claude/config.json') to register a persistent Model Context Protocol (MCP) server. This provides a long-term persistence mechanism and execution hook for the 'beads-mcp' package across future sessions.
Recommendations
- AI detected serious security threats
Audit Metadata