The Agent Skills Directory

REMOTE_CODE_EXECUTION (CRITICAL): The skill's initialization script (scripts/pm/init.sh) downloads and executes a remote script using the dangerous pattern curl -fsSL https://raw.githubusercontent.com/steveyegge/beads/main/scripts/install.sh | bash. The source repository steveyegge/beads is not a trusted external source according to security policy, allowing the remote maintainer to execute arbitrary code on the host machine during initialization.
EXTERNAL_DOWNLOADS (HIGH): The skill's primary setup routine downloads and installs the Beads CLI from a non-whitelisted GitHub repository without any integrity verification or version pinning, creating a significant supply chain risk.
COMMAND_EXECUTION (MEDIUM): The skill utilizes a pre-tool-use hook (hooks/bash-worktree-fix.sh) that dynamically rewrites shell commands before they are sent to the Bash tool. While intended to handle Git worktree resets, this automated manipulation of shell inputs can lead to unexpected command execution if edge cases in file paths or command structures are exploited.
PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection. It ingests data from Product Requirements Documents (PRDs) and Epic files (ingestion points: .project/prds/*.md, .project/epics/*.md) and interpolates this content into agent prompts. The system lacks explicit boundary markers or 'ignore' instructions, and given its extensive capabilities (Bash tool, Write tool, and sub-agent launching via the Task tool), malicious instructions embedded in these files could influence agent behavior.
COMMAND_EXECUTION (LOW): Multiple management scripts (epic-list.sh, epic-show.sh, search.sh) parse local project files using grep and sed without strict validation. Maliciously crafted filenames or file content could potentially interfere with script execution logic.

beads-ccpm