checkpoint
Pass
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill frequently executes local binaries belonging to the gstack framework (e.g.,
gstack-config,gstack-slug,gstack-telemetry-log) to manage sessions, configuration, and telemetry. It also usesevalandsourcecommands to execute the output generated by these binaries. These are vendor-provided tools part of the framework installation. - [DATA_EXFILTRATION]: The skill collects and logs telemetry data, including skill names, execution durations, and outcomes, to local files and transmits it to a remote service via a vendor binary. This behavior is user-configurable and provides opt-in/out mechanisms as described in the instructions.
- [PROMPT_INJECTION]: The skill processes untrusted data from project-level files, which introduces an indirect prompt injection surface:
- Ingestion points: The skill reads content from
CLAUDE.mdand various checkpoint markdown files stored in~/.gstack/projects/. - Boundary markers: There are no explicit delimiters or protective instructions used to isolate the ingested file content from the agent's core instructions.
- Capability inventory: The skill has access to powerful tools including shell execution (
Bash) and file system manipulation (Read,Write). - Sanitization: Content from these external files is interpolated into the agent's context without sanitization or validation.
Audit Metadata