bees
Warn
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill configuration and installation instructions (SKILL.md, mise.toml) point to external binaries and source code at 'github.com/ctxshift/bees'. This source is not a recognized trusted vendor. The skill fetches and executes these unverified binaries locally.
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface. 1. Ingestion points: Issue metadata including titles, descriptions, and labels are read from the SQLite database into the agent context in 'agents/bees-worker.md'. 2. Boundary markers: No delimiters or protective warnings are used when processing issue data. 3. Capability inventory: The agent has high-privilege capabilities including file modification (Write, Edit), shell execution (Bash), and dynamic skill activation. 4. Sanitization: There is no sanitization or validation of issue content before it is used to drive agent logic. 5. Evidence: The worker agent is specifically instructed in 'agents/bees-worker.md' to 'Activate any valid skill' based on 'skill:' labels found in the untrusted issue data, allowing malicious data to control the agent's toolset.
Audit Metadata