context-save
Warn
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The preamble and main workflow perform extensive execution of local binaries belonging to the gstack toolset (e.g.,
gstack-update-check,gstack-config,gstack-slug,gstack-brain-sync). - [COMMAND_EXECUTION]: The skill uses
evaland shell substitutionsource <(...)to execute shell code dynamically generated by thegstack-slugandgstack-repo-modebinaries inSKILL.md. - [DATA_EXFILTRATION]: The skill includes a telemetry system that sends usage data (skill name, duration, outcome, session ID) to a remote endpoint. While this is gated by a user prompt, the endpoint is not explicitly disclosed in the script.
- [DATA_EXFILTRATION]: The 'GBrain Sync' feature is designed to publish session memory—which may include code snippets and technical decisions—to a private GitHub repository. This functionality is presented as an opt-in feature.
- [PROMPT_INJECTION]: The skill contains strong directives to the agent to 'Treat the skill file as executable instructions, not reference' and to override standard behaviors based on configuration (e.g.,
EXPLAIN_LEVEL: terse). - [PROMPT_INJECTION]: Indirect prompt injection surface detected.
- Ingestion points: Reads project-level files (
CLAUDE.md), internal data logs (learnings.jsonl), and saved checkpoint files (checkpoints/*.md). - Boundary markers: Missing for several processed files, which could allow embedded instructions to influence the agent.
- Capability inventory: The skill has broad capabilities including shell execution (
Bash), file writing, and network operations. - Sanitization: Title inputs are sanitized via shell utilities (
tr,cut) before being used in filenames. - [EXTERNAL_DOWNLOADS]: The skill performs network operations to check for updates (
gstack-update-check) and sync repository state via git (gstack-brain-sync).
Audit Metadata