canary

SUSPICIOUS: the core browsing and screenshot behavior matches canary monitoring, but the surrounding gstack framework adds unrelated repo modification, telemetry, and memory-sync capabilities that are not proportionate to a read-only post-deploy monitor. Install provenance is partially legitimate same-org tooling, so this is not confirmed malware, but the skill’s actual footprint is broader than its stated purpose.