Beads Task Tracker
v1.0.1Git-backed issue tracker for AI agents. Use when managing tasks, dependencies, or multi-step work. Triggers on task tracking, issue management, dependency graphs, ready work queues, or mentions of "beads" / "bd" CLI.
⭐ 1· 2k·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the declared requirements: the skill needs a 'bd' CLI and the SKILL.md contains only bd commands for creating, updating, and syncing a git-backed task store (.beads/). The brew and npm install specs both produce the expected 'bd' binary, so requested capabilities align with purpose.
Instruction Scope
Instructions are limited to running the bd CLI and interacting with the repo (.beads/, git hooks, sync). They do not request unrelated environment variables or arbitrary file reads, but they do direct the agent to run git operations (commit/pull/push) and to install git hooks that will modify the repo. bd's auto-sync behavior can cause network I/O (push/pull) using whatever git credentials are configured.
Install Mechanism
Install methods are brew (formula) and npm (@beads/bd). Both are common package distribution mechanisms (lower risk than arbitrary URL downloads) but still carry normal supply-chain risk: the skill has no source URL or homepage in metadata, so there's no immediate way to inspect the package origin from the registry metadata provided here.
Credentials
The skill declares no required env vars or secrets, and the instructions do not attempt to read unrelated environment variables. However, the CLI's git operations will implicitly use the system's git credentials (SSH keys, credential helpers, or tokens), which is expected but worth noting since bd sync/push/pull could expose repository state to remotes.
Persistence & Privilege
always:false (good). The skill will create .beads/, may install git hooks (writes into .git/hooks), and the CLI mentions an auto-sync daemon with 30s debounce — these introduce persistent artifacts in repositories and potential recurring network activity. It does not request system-wide privileges or modify other skills' configurations according to the provided metadata.
What to consider before installing
This skill appears to do what it says (a git-backed task tracker) but you should be cautious before installing. Key things to consider:
- Provenance: there is no homepage/source URL or maintainer info in the metadata. Before installing, find and inspect the brew formula and the npm package (@beads/bd) to verify their source and contents.
- Inspect code: review the npm tarball or the formula's upstream URL to see what bd does, especially any code that auto-syncs, runs daemons, or executes arbitrary commands.
- Test in a sandbox: install and run bd in an isolated or disposable git repository (not a sensitive project) to see what files (.beads/, hooks) it creates and what network calls it makes.
- Git credentials: bd sync will use whatever git auth is configured (SSH keys, tokens). Avoid installing/using bd in repositories where pushing/pulling could leak sensitive data or trigger CI/jobs you don't intend.
- Git hooks: bd hooks install will write to .git/hooks and may run on commits; inspect these hooks before enabling them in important repos.
- Installation scope: prefer local or per-project install rather than global, and avoid running it on systems with elevated access until you trust the package.
If you want to proceed, first locate the package sources (npm/brew formula), audit the scripts and hooks, and run bd in a throwaway repo to observe behavior. If you cannot find or inspect the upstream source, treat the package as higher risk.Like a lobster shell, security has layers — review code before you run it.
latestvk97et973aek36t1v3w3j1thtgn80hwj5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📿 Clawdis
Binsbd
Install
Install beads (brew)
Bins: bd
brew install beads