gstack

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (medium risk: 0.60). The prompt includes non-obvious, state-changing instructions outside pure QA browsing — e.g., it auto-writes telemetry/analytics and touches local marker files (and logs session info) before prompting for consent, and mandates creating/committing project routing files in some flows — behaviors that are not part of the skill's stated QA/dogfooding purpose and are effectively hidden or surprising to users.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md clearly instructs the agent to navigate to arbitrary open-web URLs (e.g., the "Navigation" examples with $B goto https://... and the "diff" and "cookie-import-browser" flows) and to read page content via commands like text, html, links, snapshot, and console — i.e., it fetches and ingests untrusted third‑party page content as part of normal workflow (see the "gstack browse" and "Reading" sections and the explicit "Untrusted content" stanza), so that page content could materially influence subsequent tool actions if not correctly ignored.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's setup step conditionally downloads and executes a remote installer at runtime via curl -fsSL "https://bun.sh/install" -o "$tmpfile" and then runs the fetched script (BUN_VERSION install), which is a remote script execution dependency used during runtime.