Beads — agentic threat model
Beads introduces a persistent, git-backed memory layer for coding agents, creating a high-risk vector for persistent memory poisoning that can influence future agent runs and lead to indirect prompt injection.
OWASP AIVSS score rationale
| Autonomy of Action | 0.20 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.80 | |
| Dynamic Tool Use | 0.40 | |
| Persistent Memory | 1.00 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.50 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — Beads is model-agnostic and acts as an MCP tool; however, the downstream LLM is highly vulnerable to indirect prompt injection and behavioral reprogramming if it consumes poisoned memory beads from the store.
Beads acts as a specialized data store. The primary threat is knowledge-base and memory poisoning, where malicious or corrupted data is committed to the Git-backed store and subsequently loaded into the agent's context window.
This is the core layer for Beads. It provides structured memory records over MCP. The main threat is memory poisoning and insecure tool integration, as agents can read/write arbitrary content that persists across sessions without input sanitization.
The memory store is Git-backed. Infrastructure threats include unauthorized access to the Git repository, lack of transport security for the MCP connection, and potential credential exposure if Git SSH keys or tokens are poorly managed.
Not certain from the listing — there is no mention of built-in guardrails, anomaly detection, or validation schemas to detect when a memory bead contains malicious payloads or prompt injections.
Not certain from the listing — access control relies entirely on the underlying Git repository's permissions. There is no native authentication or fine-grained authorization policy defined within the Beads protocol itself.
Because Beads is designed for cross-session and potentially cross-agent memory, a compromised agent can write poisoned memories to the shared Git store, leading to cascading failures and horizontal privilege escalation across the agent ecosystem.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).