beads
Fail
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The instructions recommend installing the
beadstool by downloading binaries or execution scripts from a third-party GitHub repository (https://github.com/gastownhall/beads) that is not identified as a trusted source. - [COMMAND_EXECUTION]: The skill relies on the execution of various shell-based commands using the
bdtool. These commands are used to initialize repositories (bd init), manage tasks (bd create,bd update), and handle synchronization logic. - [DATA_EXFILTRATION]: The tool is designed to synchronize local issue databases with external remotes and services (Dolt, GitHub, GitLab, Linear, Jira, and Azure DevOps). This functionality involves sending task data, metadata, and agent-specific memories to external infrastructure.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its data ingestion model.
- Ingestion points: Untrusted data is retrieved from external sources through
bd sync,bd import, and various issue tracker integrations. - Boundary markers: No specific delimiters or "ignore instructions" warnings are provided.
- Capability inventory: The skill provides shell command execution, network access, and file system access.
- Sanitization: No evidence of validation for content pulled from external trackers.
Recommendations
- AI detected serious security threats
Audit Metadata