bd-workflow

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] BENIGN. The content serves as governance and workflow documentation for using beads-based task tracking with explicit push/sync procedures. No malicious behavior or secret leakage is evident; data flows are normal for a git-backed, JSONL-based tracker. The guidance is coherent and aligned with its stated purpose. LLM verification: The document legitimately documents a bd workflow and agent interactions, but contains multiple high-risk operational mandates for automated agents: unconditional network pushes, destructive git maintenance commands, and unpinned third-party installs without guidance on secrets handling. I do not see direct code-level malware or obfuscation, but the procedure can cause accidental data exfiltration or loss if an agent follows it automatically. Recommend adding explicit safeguards: secrets scannin