Compétences using-beads-bv Historique des audits
📦

Historique des audits

using-beads-bv - 6 audits

Version de l’audit 6

Dernier Risque moyen

Jun 28, 2026, 06:05 AM

Static analysis flagged many shell-command patterns and several weak-crypto patterns. The weak-crypto detections are false positives, and the network finding is only a project link, but the skill does instruct agents to run bd, bv, and git commands that can alter local and remote state. No prompt injection, credential access, obfuscation, or data exfiltration intent was found in SKILL.md.

1
Fichiers analysés
122
Lignes analysées
6
résultats
codex
Audité par
Problèmes à risque moyen (2)
External CLI Commands Can Modify Project State
The skill provides command workflows for bd and bv, including creating, updating, closing, and syncing tasks. This is legitimate for the skill purpose, but it can change project task data and should run only in trusted repositories with the expected tools installed.
Session Close Protocol Includes Git Push
The skill instructs users to stage files, commit changes, sync Beads state, and push to a remote repository before ending a session. This can publish local code and task metadata if followed without human review.
Problèmes à risque faible (2)
Hardcoded Project URL Is Informational
The static network finding points to the upstream Beads project URL. It is a documentation link and does not perform a network request or send data.
Weak Cryptography Detections Are False Positives
The static weak-crypto detections occur on metadata, prose, or command-table lines. No hash function, encryption function, or cryptographic implementation appears in the reviewed file.

Motifs détectés

Shell Command Guidance

Version de l’audit 5

Sûr

Jan 16, 2026, 03:00 PM

Pure documentation skill containing only markdown guidance for using beads/bv CLI tools. No executable code, no network calls, no file system access, no command execution. All 61 static findings are false positives from misinterpreting markdown command examples as executable backtick syntax.

2
Fichiers analysés
300
Lignes analysées
2
résultats
claude
Audité par
Aucun problème de sécurité trouvé

Version de l’audit 4

Sûr

Jan 16, 2026, 03:00 PM

Pure documentation skill containing only markdown guidance for using beads/bv CLI tools. No executable code, no network calls, no file system access, no command execution. All 61 static findings are false positives from misinterpreting markdown command examples as executable backtick syntax.

2
Fichiers analysés
300
Lignes analysées
2
résultats
claude
Audité par
Aucun problème de sécurité trouvé

Version de l’audit 3

Sûr

Jan 10, 2026, 10:26 AM

Pure documentation skill containing only markdown guidance for using beads/bv CLI tools. No executable code, no network calls, no file system access, no command execution. Risk level is safe.

1
Fichiers analysés
122
Lignes analysées
0
résultats
claude
Audité par
Aucun problème de sécurité trouvé

Version de l’audit 2

Sûr

Jan 10, 2026, 10:26 AM

Pure documentation skill containing only markdown guidance for using beads/bv CLI tools. No executable code, no network calls, no file system access, no command execution. Risk level is safe.

1
Fichiers analysés
122
Lignes analysées
0
résultats
claude
Audité par
Aucun problème de sécurité trouvé

Version de l’audit 1

Sûr

Jan 10, 2026, 10:26 AM

Pure documentation skill containing only markdown guidance for using beads/bv CLI tools. No executable code, no network calls, no file system access, no command execution. Risk level is safe.

1
Fichiers analysés
122
Lignes analysées
0
résultats
claude
Audité par
Aucun problème de sécurité trouvé