Skills
skills/majesticlabs-dev/majestic-marketplace/backlog-manager/Gen Agent Trust Hub

backlog-manager

Fail

Audited by Gen Agent Trust Hub on Feb 18, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • REMOTE_CODE_EXECUTION (CRITICAL): The skill explicitly defines installation steps that download and execute scripts from untrusted internet sources using piped shell execution. Evidence in resources/beads-backend.yml: 'curl -fsSL https://raw.githubusercontent.com/steveyegge/beads/main/install.sh | bash'. Evidence in resources/beads-viewer.yml: 'curl -fsSL https://raw.githubusercontent.com/Dicklesworthstone/beads_viewer/main/install.sh | bash'. These GitHub repositories belong to untrusted users (steveyegge, Dicklesworthstone) not present in the trusted organizations list, posing a severe risk of arbitrary code execution.
  • COMMAND_EXECUTION (HIGH): Multiple backend configurations utilize direct shell command interpolation for user-controlled strings without sanitization. resources/beads-backend.yml interpolates {title} and {reason} directly into bd CLI calls. resources/github-backend.yml interpolates {title} and {body} into gh CLI calls. resources/file-backend.yml executes complex pipelines with ls, grep, and awk based on file names that may be influenced by external input.
  • EXTERNAL_DOWNLOADS (MEDIUM): The Linear backend uses npx -y to fetch and execute remote code from a non-whitelisted source. Evidence in resources/linear-backend.yml: 'npx -y mcp-remote https://mcp.linear.app/mcp'.
  • PROMPT_INJECTION (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) due to the way it processes external task data. 1. Ingestion points: Task titles, descriptions, and comments retrieved from GitHub Issues, Linear, or local Markdown files. 2. Boundary markers: Absent. No delimiters or instructions are provided to the agent to treat this data as untrusted text rather than executable commands. 3. Capability inventory: Shell execution via gh, bd, and bv tools, plus file system modification capabilities. 4. Sanitization: Absent. The YAML templates perform direct string substitution into shell commands, which can be exploited for command injection if a task title contains shell metacharacters.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 18, 2026, 01:03 PM