devex-review
Pass
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [SAFE]: No security issues detected. Findings listed below were evaluated as safe within the context of the skill's intended functionality.
- [EXTERNAL_DOWNLOADS]: The skill downloads the Bun installation script from
https://bun.sh/installif the runtime is not already present. This uses a well-known service and the installation process includes a SHA-256 checksum verification to ensure the script's integrity before execution. - [COMMAND_EXECUTION]: The preamble and setup phases execute various binaries and scripts located in
~/.claude/skills/gstack/bin/. These are local infrastructure components for the gstack ecosystem used for telemetry, configuration management, and session tracking. - [DATA_EXFILTRATION]: The skill provides optional features to sync session memory to a private GitHub repository and send telemetry to a remote server. These operations are explicitly presented to the user for approval via interactive prompts and are configured to exclude sensitive information such as code and file paths.
Audit Metadata