beads-workflow
Pass
Audited by Gen Agent Trust Hub on Jun 20, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONNO_CODE
Full Analysis
- [PROMPT_INJECTION]: The skill's core functionality involves ingesting untrusted markdown plan files, creating an indirect prompt injection surface.\n
- Ingestion points:
references/PROMPTS.mdcontains prompts like "read ALL of [YOUR_PLAN_FILE].md", directing the agent to process the entire content of external files.\n - Boundary markers: The instructions do not define delimiters or provide specific commands to ignore potential instructions embedded within the ingested plan files.\n
- Capability inventory: The skill uses the
brtool to write tasks to the filesystem and performsgitoperations to sync with remote repositories.\n - Sanitization: No sanitization or validation of the input file content is performed before the agent processes it.\n- [COMMAND_EXECUTION]: The skill provides instructions for the agent to use various command-line tools for task management.\n
- Tools used:
br,bv,git,grep, andjqare used for project operations.\n - Context: These tools are used as intended for developer workflows, but their execution is triggered by the ingestion of potentially untrusted data.\n- [NO_CODE]: This skill contains no executable script files and consists only of markdown instructions and configuration metadata.
Audit Metadata