beads
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill directs the agent to install the '@beads/bd' package via npm, Homebrew, and Go. The source (steveyegge/beads) is not on the trusted organizations list, requiring manual verification of the external code before installation.
- COMMAND_EXECUTION (MEDIUM): The 'bd hooks install' command configures Git hooks. This creates a persistence mechanism where code can be executed automatically during standard Git operations without explicit session intervention.
- DATA_EXFILTRATION (LOW): The 'bd sync' command pushes local task data to a remote repository. Users should be aware that any sensitive information (e.g., secrets, internal paths) added to task titles or descriptions will be transmitted to the remote origin.
- PROMPT_INJECTION (LOW): The skill exhibits an indirect prompt injection surface. 1. Ingestion points: Untrusted data enters the agent context via 'bd sync' (pulling), 'bd ready', and 'bd show' as described in SKILL.md. 2. Boundary markers: None identified; no instructions are provided to the agent to delimit or ignore instructions embedded in task data. 3. Capability inventory: The skill possesses capabilities for package installation, persistence (hooks), and network synchronization (sync). 4. Sanitization: No input sanitization or validation of retrieved task data is specified in the skill logic.
Audit Metadata