gstack-workflow-assistant
Warn
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill includes a feature called
/setup-browser-cookieswhich explicitly accesses sensitive local browser profile data. It states it "imports cookies from real browser (Chrome, Arc, Brave, Edge)" to enable authenticated testing. This involves reading sensitive files from the user's home directory. - [EXTERNAL_DOWNLOADS]: The installation process requires fetching code from an external GitHub repository (
github.com/garrytan/gstack.git) which is not included in the trusted vendors list. - [COMMAND_EXECUTION]: The skill directs users to execute a
./setupscript immediately after cloning the external repository. This script runs with the user's permissions and performs unknown initialization tasks, including potentially rebuilding binaries. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. Commands like
/browseand/qaingest untrusted content from external websites and git history. This data is then processed by the agent to perform actions like identifying breakage or testing responsive design. - Ingestion points: Web content via
/browse [URL], git diffs via/qa, and git history via/retro. - Boundary markers: None mentioned in the skill documentation to separate untrusted web content from agent instructions.
- Capability inventory: File system access (
.gstack/,.context/), network operations (browser automation), and git operations (/shiptriggers pushes and PR creation). - Sanitization: No evidence of sanitization for ingested web content or git metadata before processing.
- [COMMAND_EXECUTION]: Troubleshooting instructions suggest the use of
chmod +xon downloaded scripts and binaries (setup,browse/dist/browse), which grants execution permissions to external code.
Audit Metadata