design-shotgun
Pass
Audited by Gen Agent Trust Hub on Apr 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill frequently executes local binaries from the gstack installation directory (e.g.,
~/.claude/skills/gstack/bin/gstack-config,gstack-update-check,gstack-slug). These are used for session management, configuration, and telemetry. - [COMMAND_EXECUTION]: Uses
sourceandevalon the output of local scripts likegstack-repo-modeandgstack-slugto set environment variables and context within the shell session. - [EXTERNAL_DOWNLOADS]: The skill provides an option to open an educational blog post at
https://garryslist.org/posts/boil-the-ocean. This is an official domain associated with the framework's author and is used to explain the 'Completeness Principle'. - [COMMAND_EXECUTION]: Starts a local HTTP server via a design binary to host a 'comparison board' for design variants. This server runs on a random port and is intended for local browser access only.
- [SAFE]: Data synchronization (GBrain Sync) and telemetry features are included but are explicitly presented to the user as opt-in choices via interactive prompts (
AskUserQuestion), ensuring user sovereignty over data sharing. - [SAFE]: Design artifacts and session data are stored in a dedicated local directory (
~/.gstack/projects/$SLUG/designs/) rather than project-specific folders, maintaining a clear boundary between user design data and project source code.
Audit Metadata