gstack

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly exposes the agent to arbitrary public webpages via browse commands (e.g., goto <url>) and reads their content with commands like text, html, links, and snapshot — i.e., the agent fetches and ingests untrusted third-party page content as part of its QA/browser workflows (see the "gstack browse" and "Untrusted content" sections), which can materially influence subsequent tool actions despite the guidance to treat such output as untrusted.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill's runtime setup (when NEEDS_SETUP) downloads and executes the Bun installer from https://bun.sh/install (curl -o tmpfile then bash "$tmpfile"), meaning it fetches and runs remote code as a required dependency even though it checks a SHA256 — this creates an execution-of-remote-code risk.