beads
Fail
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill documentation provides an installation procedure involving a shell script downloaded from the author's GitHub repository (https://raw.githubusercontent.com/schlenks/superpowers-bd/main/scripts/setup-beads-local.sh) and piped directly to bash, enabling unauthenticated execution.\n- [PROMPT_INJECTION]: The 'Permission Avoidance' section provides explicit instructions on how to evade safety checks. It tells the agent to avoid semicolons and the 'rm' command specifically because they 'trigger permission prompts,' and suggests using alternative shell syntax like ANSI-C quoting to execute multi-line content silently without user oversight.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection via the processing of issue content (titles, descriptions, comments) ingested through 'bd' CLI commands. (1) Ingestion points: Data returned by 'bd show', 'bd search', and 'bd list' (SKILL.md). (2) Boundary markers: Not used to isolate untrusted data. (3) Capability inventory: System command execution via 'bd' and file system writing to 'temp/desc.md'. (4) Sanitization: No validation or escaping of ingested issue content is specified.\n- [EXTERNAL_DOWNLOADS]: The skill initiates downloads of the 'beads' tool and setup scripts from remote GitHub repositories belonging to the author.\n- [COMMAND_EXECUTION]: The skill's primary operation involves the agent executing system-level commands through the 'bd' CLI to manage project issues, claim tasks, and synchronize local project state.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/schlenks/superpowers-bd/main/scripts/setup-beads-local.sh - DO NOT USE without thorough review
Audit Metadata