The Agent Skills Directory

[PROMPT_INJECTION]: The beads-worker.md agent is vulnerable to indirect prompt injection. It retrieves task titles, descriptions, and labels from the repository using the bd CLI. Because this data is stored in version-controlled JSONL files, an attacker with repository access can inject malicious instructions that the worker agent will then follow during its automated execution loop.
Ingestion points: Task data is ingested from .beads/tasks.jsonl and .beads/comments.jsonl via the bd ready --json and bd show --json commands.
Boundary markers: None. The agent is instructed to directly execute work based on the 'Execute Work' matching patterns applied to task metadata.
Capability inventory: The worker agent has access to Bash, Read, Write, Edit, and Task tools, allowing for extensive system manipulation.
Sanitization: The skill lacks any mechanism to sanitize or validate external task content before it is processed by the AI.
[COMMAND_EXECUTION]: The skill frequently uses the Bash tool to interact with the file system, git repository, and the bd binary. Additionally, the worker agent uses the Task tool to spawn sub-tasks based on issue descriptions found in the tracker.
[EXTERNAL_DOWNLOADS]: The skill documentation recommends installing the beads tool from the official Anthropic NPM registry and from an external GitHub repository.
[REMOTE_CODE_EXECUTION]: The worker agent in agents/beads-worker.md is instructed to dynamically activate skills based on skill: labels found in task JSON. This creates a mechanism where untrusted external data (labels in a task) directly controls which toolsets and instruction contexts are loaded into the agent's session, which could be abused to load skills with dangerous capabilities.

beads