beads-workflow
Pass
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- Prompt Injection (SAFE): No direct attempts to bypass safety filters or override system instructions were identified within the skill documentation.
- Indirect Prompt Injection (LOW): The skill provides an attack surface for indirect prompt injection by processing potentially untrusted data from issue trackers.
- Ingestion points: Untrusted data enters the context via
bd show,bd list, and GitHub PR descriptions viamcp__github__tools. - Boundary markers: There are no explicit delimiters or instructions provided to the agent to ignore instructions embedded within the issue content.
- Capability inventory: The agent has access to
Bash,Read, and GitHub management tools, which could be exploited if malicious instructions are parsed from issue data. - Sanitization: No evidence of sanitization or validation of external issue content before processing.
- Data Exposure & Exfiltration (SAFE): No hardcoded credentials, API keys, or access to sensitive local paths (like
~/.sshor.env) were found. Network activity is limited to git synchronization viabd sync. - Remote Code Execution (SAFE): The skill does not contain instructions to download and execute external scripts or binaries from remote sources.
- Command Execution (SAFE): The use of the
bdCLI is consistent with the skill's stated purpose of issue tracking and project management.
Audit Metadata