bd
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [Data Exposure] (LOW): The installation instructions in
INSTALLATION.mdcontain hardcoded local file paths belonging to a specific user account ('mikhail'). While likely intended as placeholders for the user to substitute, they reveal internal directory structures and user information. - [Indirect Prompt Injection] (LOW): The skill processes untrusted external data such as issue titles, descriptions, and comments (ingested via
bd list,bd search, andbd status). This represents a vulnerability surface where an attacker-controlled issue could influence the agent's behavior if the agent is instructed to act based on issue content. - Ingestion points: Issue data retrieved from the
.beads/directory via thebdbinary. - Boundary markers: No specific delimiters or 'ignore instructions' warnings are mentioned in the documentation for handling issue content.
- Capability inventory: The agent can execute
bdcommands and the includedissue-validator.shscript, which possesses file-system write and delete capabilities (e.g., removing database files in--fixmode). - Sanitization: No evidence of sanitization or escaping of external issue content before processing is found in the provided scripts.
- [Persistence Mechanisms] (LOW): The
bd hooks installcommand referenced in the documentation installs git hooks (pre-commitandpost-commit) into the local repository. This mechanism ensures thebdbinary is automatically executed during standard git operations. While this is a core feature of the tool's intended synchronization logic, it constitutes a form of automated persistence that users should be aware of.
Audit Metadata