gstack

SUSPICIOUS. The core debugging workflow is legitimate, but this skill's actual footprint is broader than its stated purpose: it runs opaque local binaries, includes optional remote telemetry, and can modify and commit CLAUDE.md routing rules unrelated to root-cause analysis. The behavior looks more like a suite bootstrap/onboarding wrapper around a debug skill than a narrowly scoped investigate skill.

Within the provided fragment, the code behaves like a legitimate extension controller for an inspector/side panel, but it contains notable security and privacy risk points: (1) message-driven executeCommand(msg.command,msg.args) and content-script dispatch driven by untrusted msg, and (2) an authenticated backend call that transmits activeTabUrl and msg.message to `${base}/sidebar-command`. There is no clear evidence of overt malware (e.g., obvious obfuscation, eval-based backdoors, or destructive behavior) in the snippet, but due to missing helper implementations and token/base derivation, a cautious review of executeCommand/sendToContentScript/getBaseUrl/loadAuthToken/postInspectorPick is warranted.

No explicit malicious payload (obfuscation, eval/Function, filesystem/process manipulation, or outbound exfiltration) is visible in this snippet. However, the module exposes powerful session-affecting functionality: it imports cookies into a browser automation context and clears cookies by client-supplied domain. Because authorization/input-validation for these endpoints and the unseen importCookies implementation are not shown, the overall security risk is moderate to high due to potential session hijacking/unauthorized automation control and information disclosure via detailed counts/errors.

SUSPICIOUS. The core browsing capability is coherent, and the Bun install path appears official and partially verified, so this is not confirmed malware. But the skill’s actual footprint is broader than a QA browser: it manages telemetry, self-upgrade flow, cross-skill routing, writes local analytics, can modify CLAUDE.md, and can create a git commit. The biggest concerns are scope creep and incomplete transparency around remote telemetry destinations, not clear credential theft or overt exfiltration.

This module is a high-privilege agent runner that polls a local on-disk QUEUE for JSON instructions, spawns the external 'claude' binary with the queue prompt, and explicitly grants the agent powerful tools including Bash and file operations (Write/Read/Glob/Grep). Outputs and tool-call metadata are streamed to an external controller via sendEvent, and stderr/timeout errors are forwarded. While there is no direct evidence of stealthy malware in the snippet, the architecture creates a strong risk of command execution and data leakage if an attacker can influence the queue contents or the surrounding trust boundary. Review/lock down who can write QUEUE/KILL_FILE and ensure sendEvent has strict authentication/authorization and data minimization.

SUSPICIOUS. The core Codex integration is coherent and uses an official OpenAI distribution path, but this skill’s actual footprint is materially broader than its stated purpose because of the gstack preamble: telemetry handling, project instruction injection, git commits, and dependence on opaque local helper binaries. This is better characterized as a gstack framework skill with Codex features than a minimal Codex wrapper, so the mismatch and hidden data flows warrant medium risk rather than a benign rating.

Overall, this module appears to be an extension sidebar that coordinates an agent-like local service (chat polling, SSE inspector results, screenshot/cleanup commands). It does not show direct keylogging or obvious data theft in the visible portion, but it includes a suspicious eval-like construct (truncated) and sends a screenshot command to a server while carrying a token in the SSE URL. These patterns warrant a deeper review of the full file (especially the eval usage and DOM rendering helpers) and validation that serverUrl/token cannot be attacker-controlled. Malware likelihood is low-to-moderate; security risk is moderate due to eval and high-impact command capabilities.

SUSPICIOUS. The core QA-and-fix behavior fits the stated purpose, but the skill is over-scoped: it mixes browser QA with repo mutation, CLAUDE.md routing injection, telemetry, upgrades, and numerous opaque helper binaries. Same-org install evidence lowers malware suspicion, yet the broad local-binary trust and browser-plus-shell combination make it a medium-risk skill.

SUSPICIOUS. The core checkpoint capability is legitimate and mostly local, but this skill's actual footprint is broader than its stated purpose: it runs numerous same-repo helper binaries, performs upgrade/telemetry/routing workflows, and can edit/commit CLAUDE.md. The same-org install path looks official rather than overtly malicious, so this is not confirmed malware, but the scope creep and optional remote telemetry make the skill higher risk than a simple checkpoint utility should be.

SUSPICIOUS. The core HTML-design behavior is coherent, but this skill is wrapped in a much broader gstack control layer that edits repo guidance, changes local config, runs multiple opaque binaries, and can emit telemetry. That footprint is disproportionate to a single design-finalization skill, though there is not enough evidence of credential theft or clear malicious intent.

SUSPICIOUS. The main browser-launch capability matches the stated purpose, and the Bun installer is from an official source with an added checksum check. But the skill's footprint is broader than advertised: it runs multiple opaque local gstack binaries, can modify project files and commit routing rules, and includes optional remote telemetry with undisclosed endpoints. This looks more like a bundled framework bootstrap/orchestration skill than a narrowly scoped browser launcher.

SUSPICIOUS. The core canary-monitoring behavior is coherent and mostly benign, and the Bun install path is official and checksum-verified. The main concerns are the oversized shared gstack preamble, optional remote telemetry through opaque local binaries, broader-than-needed repo/config mutation, and moderate prompt-injection risk from browsing untrusted live pages with Bash and Write access.

No direct indicators of covert malware (e.g., no exfiltration, no obfuscation, no remote payload execution) are present in this snippet. However, it intentionally reuses the user’s real Chrome session state (Default profile and Local State) while enabling CDP—a powerful control interface—against that real data context. This materially increases local attack impact if an attacker can connect to the CDP port or run untrusted code on the same host. Operationally, it also force-terminates Chrome if shutdown fails.

SUSPICIOUS: the core design-generation workflow is coherent, but this skill’s actual footprint is much broader than its stated purpose. The main concerns are scope creep in the shared gstack preamble, opaque local binaries for telemetry/design functions, and optional project-file/git modification not strictly necessary for visual brainstorming. No direct credential harvesting or obvious malicious exfiltration is shown.

The code is primarily a browser automation/controller module. The most notable security concerns are: (1) it persists an authToken to a local JSON file, (2) it conditionally loads a local browser extension with Chromium launch flags (arbitrary extension code execution if extensionPath is not tightly controlled), and (3) it injects init scripts to evade automation detection surfaces (navigator/plugins/languages/permissions behavior). It also collects console/network/dialog metadata. There is no direct evidence of outbound exfiltration or system compromise in the provided fragment, but the extension-loading and token-persistence behaviors warrant a careful review of extensionPath integrity and downstream handling of collected data.

SUSPICIOUS. The core doc-update behavior is legitimate, and the external tooling appears same-org rather than a random dropper, but the skill's footprint is disproportionately broad for its stated purpose. Persistent CLAUDE.md routing injection, commit/push automation, PR/MR edits, and opt-in telemetry flows make this more than a documentation skill and raise medium risk.

SUSPICIOUS. The core browser-QA capability is coherent, and the Bun installer evidence looks legitimate. But the skill’s actual footprint is materially broader than QA: it runs many local binaries, can edit and commit project files, pushes routing behavior into CLAUDE.md, and includes partially unverifiable remote telemetry via a helper binary. This looks more like a full agent framework bootstrap skill than a narrowly scoped QA skill.