context-restore

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The skill purports to only read and present saved context, but the prompt embeds numerous instructions (telemetry, config changes, git commits, CLAUDE.md injection, brain-sync, auto-upgrades, file writes) that modify state or exfiltrate/session-sync outside that scope, so it contains deceptive/out-of-scope directives.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's preamble/GBrain Sync steps (in SKILL.md "GBrain Sync (skill start)") perform git fetch/merge and run "~/.claude/skills/gstack/bin/gstack-brain-sync", pulling content from a remote brain/git repo and loading brain/learnings files into ~/.gstack, which are untrusted user-generated third-party sources that the agent reads and that can influence subsequent suggestions/actions.