gen-beads
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8) because it ingests untrusted Markdown content and uses it to drive agent actions. * Ingestion points: Reads external files like 'plan.md', 'plan-*.md', or design documents (Workflow Step 1). * Boundary markers: Absent. The instructions ('take ALL of that and elaborate on it more') lack delimiters or protective instructions to prevent the agent from obeying commands embedded within the untrusted plan files. * Capability inventory: The agent uses the 'bd' tool to create, modify, and wire dependencies, representing a state-changing capability. * Sanitization: No sanitization or validation of the input file content is performed before processing.
- [COMMAND_EXECUTION] (MEDIUM): The skill relies on the 'bd' tool for all operations. If the agent interpolates untrusted text from the plan file into command arguments for 'bd' (e.g., in bead comments or names), it could result in logic manipulation or unauthorized modifications to the task graph.
Recommendations
- AI detected serious security threats
Audit Metadata