gstack

SUSPICIOUS. The core browser-testing capability matches the stated QA purpose, and the Bun install path appears same-project and official enough to avoid a high supply-chain verdict. The main concerns are broader-than-necessary project modification, Bash access combined with untrusted web content, and an opt-in telemetry binary whose remote endpoint is not visible here.

SUSPICIOUS. The core canary workflow is coherent and mostly read-only, and the external install path shown is same-vendor and partially verified. The main risk comes from the oversized gstack preamble: telemetry through opaque local binaries, broad local state access, and project-modifying behaviors like editing CLAUDE.md and committing changes that are not proportionate to simple post-deploy monitoring.

SUSPICIOUS. The checkpoint function itself is coherent and mostly local, but the skill bundle includes broader behavior than its stated purpose: telemetry setup, cross-skill routing, CLAUDE.md modification, and git commits. No clear malicious exfiltration is shown, yet the opaque telemetry binary and extra project-modifying behavior make the footprint disproportionate for a checkpoint skill.

SUSPICIOUS. The core health-check behavior is legitimate, but this skill's footprint is not proportionate to that purpose: it performs onboarding, telemetry handling, local analytics, context mining, cross-skill routing setup, and possible repo modification/commit. Same-org provenance reduces the chance of outright malware, but the scope mismatch and opaque telemetry binary make it higher-risk than a normal dashboard skill.

This module is a browser automation/controller that optionally loads a local extension and writes sensitive auth tokens into the extension directory as .auth.json, including during handoff from a local browse.json file. It also powerfully restores cookies and arbitrary localStorage/sessionStorage into pages and captures extensive console/dialog/network telemetry. While there is no direct evidence of covert exfiltration or overt malware in the shown fragment, the extension loading + credential persistence and untrusted-state restoration are high-impact trust-boundary risks; security depends heavily on the integrity of the extension path and the provenance of authToken/state inputs and on how collected telemetry is handled.

SUSPICIOUS. The core QA capability is legitimate and the install sources are mostly coherent and same-org, but the skill’s actual footprint is broader than 'report-only QA'. Telemetry, persistent config changes, routing-rule edits, and a possible git commit are disproportionate to the stated purpose. Risk is moderate, driven more by scope creep and optional opaque telemetry than by confirmed malicious behavior.

Overall, this fragment looks like a browser-extension UI/controller for a backend-assisted 'cleanup' and 'screenshot' workflow. The standout suspicious indicator is that the cleanup prompt instructs executing JavaScript via an eval-like mechanism (`$B eval ...`) to hide/unlock page elements—this is a high-capability action but is delegated to the backend/agent rather than executed directly in this client. There is no direct evidence in the shown code of credential harvesting or covert data exfiltration. Security risk is mainly from the command-channel nature (serverUrl/serverToken) and potential for arbitrary DOM manipulation if the backend or inputs are compromised.

No definitive malware is visible in the provided fragment, but the generated bash contains a high-risk eval-based dynamic execution pattern (eval of gstack-slug output) and includes an optional telemetry binary execution pathway. Additionally, the context recovery logic reads and surfaces local project artifacts into agent context, which is a data-handling/privacy risk. Risk is therefore moderate: review how gstack-slug output is produced/validated and what the telemetry binary transmits, and assess whether exposing project artifacts into prompts matches the intended threat model.

No direct indicators of covert malware (e.g., no exfiltration, no obfuscation, no remote payload execution) are present in this snippet. However, it intentionally reuses the user’s real Chrome session state (Default profile and Local State) while enabling CDP—a powerful control interface—against that real data context. This materially increases local attack impact if an attacker can connect to the CDP port or run untrusted code on the same host. Operationally, it also force-terminates Chrome if shutdown fails.

SUSPICIOUS. The core browser-QA-and-fix workflow is legitimate, and same-org install paths reduce supply-chain concern, but the skill is over-scoped: it can change project governance files, bootstrap tests/CI, commit autonomously, and process untrusted web content with Bash and Write access. Optional telemetry through an opaque local binary adds moderate data-flow uncertainty. Not clearly malicious, but risk is medium-high for a QA skill.

SUSPICIOUS. The core learnings-management behavior is coherent, but the shared preamble adds disproportionate capabilities: telemetry handling, optional remote logging through an opaque binary, browser opening, and even CLAUDE.md edits plus git commits. This looks more like an over-scoped framework skill than outright malware, with medium security risk driven by hidden helper binaries and unrelated project modification paths.

SUSPICIOUS: the skill's core review purpose is broadly coherent, but it grants the agent substantial autonomous authority, executes many external/local helper binaries, follows other skills transitively, and can modify project files and create commits. The main concern is over-broad execution and trust expansion, not clear malicious intent.

SUSPICIOUS. The core browser-launch behavior fits the stated purpose, and the Bun install path appears same-project or official. But the skill's footprint is much broader than 'connect Chrome': it performs ecosystem onboarding, telemetry setup, routing-rule injection, and even git commits. The main concern is scope creep and opaque telemetry routing, not confirmed malware.