gstack-workflow-assistant
Fail
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill requires users to clone an external, untrusted repository (github.com/garrytan/gstack.git) and execute a setup script (./setup). This pattern allows the external repository owner to execute arbitrary code on the user's local machine during the installation phase.
- [CREDENTIALS_UNSAFE]: The
/setup-browser-cookiescommand is designed to import sensitive session data (cookies) from Chrome, Arc, Brave, and Edge. Accessing these credentials directly from the user's browser environment is a high-risk operation that could lead to unauthorized account access or session hijacking. - [COMMAND_EXECUTION]: The skill instructions direct users to perform shell commands including
chmod +xand the execution of a pre-compiled or local binary (browse/dist/browse), increasing the risk of executing unverified code. - [EXTERNAL_DOWNLOADS]: The skill relies on fetching its core components and dependencies from an external GitHub repository that is not part of the trusted vendors list.
- [PROMPT_INJECTION]: The
/browseand/qacommands represent a significant indirect prompt injection surface. These tools ingest untrusted content from the web or git diffs and possess the capability to perform actions like browser automation and file writes without evidence of sanitization or boundary markers to prevent the agent from obeying instructions embedded in the external data.
Recommendations
- AI detected serious security threats
Audit Metadata