backlog-manager
Fail
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill contains commands that fetch shell scripts from the internet and pipe them directly into a bash shell. This allows for arbitrary code execution from unverified sources.\n
- Evidence:
assets/beads-backend.ymlcontainsinstall: "curl -fsSL https://raw.githubusercontent.com/steveyegge/beads/main/install.sh | bash".\n - Evidence:
assets/beads-viewer.ymlcontainsinstall: "curl -fsSL https://raw.githubusercontent.com/Dicklesworthstone/beads_viewer/main/install.sh | bash".\n- [EXTERNAL_DOWNLOADS]: Installation instructions depend on downloading content from personal GitHub repositories that are not associated with trusted organizations or well-known technology service providers.\n- [COMMAND_EXECUTION]: The skill operations involve executing various shell commands and specialized CLI tools (gh,bd,bv,ls,grep,awk) to manage tasks and process files.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it retrieves and processes untrusted data from external backends (titles, descriptions, comments) and integrates it into the agent context.\n - Ingestion points: Task data is ingested via tool calls like
gh issue list,bd list, and Linear MCP resources inassets/github-backend.yml,assets/beads-backend.yml, andassets/linear-backend.yml.\n - Boundary markers: There are no delimiters or instructions to ignore commands potentially embedded in the task content retrieved from backends.\n
- Capability inventory: The skill has access to shell execution and file system manipulation tools.\n
- Sanitization: No sanitization or escaping is applied to the retrieved task descriptions before they are used in commands or logs.
Recommendations
- AI detected serious security threats
Audit Metadata