Beads Task Tracker
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent task-tracking skill, but it relies on an external bd CLI that can write git-backed task files, install hooks or auto-sync behavior, and push task data to your repository.
This skill appears purpose-aligned and not malicious from the provided artifacts. Before installing, make sure you trust the bd CLI package, understand that Beads may install git hooks or use auto-sync, and avoid placing secrets or private information in Beads tasks if the repository syncs to a remote.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The safety of the skill depends on the bd package you install, not just on this SKILL.md file.
The skill delegates its functionality to an externally installed bd CLI. This is expected for this instruction-only task tracker, but the CLI's implementation is not included in the provided artifacts.
install:\n - id: brew\n kind: brew\n formula: beads\n bins: [bd]\n - id: npm\n kind: npm\n package: "@beads/bd"
Install bd only from a trusted package source and review the package/source if your repository contains sensitive work.
Task changes and task notes may be pushed to the configured Git remote using your Git permissions.
The sync command can use the user's existing Git repository access to commit, pull, and push task data. This matches the git-backed issue tracker purpose, but it is meaningful account/repository authority.
bd sync # Export → commit → pull → import → push
Use this only in repositories where automatic task-data sync is acceptable, and avoid putting secrets or private notes into Beads issues.
After setup, repository hooks or background sync may keep updating Beads state during later work.
The documentation discloses persistent project integration through git hooks and daemon auto-sync behavior. This is purpose-aligned, but it can continue affecting repository workflow after initialization.
bd init --quiet # Non-interactive, auto-installs hooks\n...\nThe daemon auto-syncs with 30s debounce.
Review installed git hooks and auto-sync settings; use local-only or stealth mode if you do not want Beads data committed or pushed.
Sensitive or misleading task text can persist in the repository and influence later agent work.
Beads stores task descriptions, notes, designs, dependencies, and status as persistent project context that future agents may read and act on.
dependency-aware task graph stored as JSONL in `.beads/`
Treat Beads issue content as shared project data, review unexpected task text, and do not store credentials or secrets in issue descriptions or notes.