investigate
Warn
Audited by Gen Agent Trust Hub on May 3, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill extensively uses the Bash tool to manage local state, such as creating and cleaning up session files in the ~/.gstack/ directory and interacting with local configuration binaries.
- [REMOTE_CODE_EXECUTION]: The instructions direct the agent to use eval and source on the output of local binaries included with the skill (e.g., gstack-slug and gstack-repo-mode), which constitutes dynamic execution of shell code generated at runtime.
- [DATA_EXFILTRATION]: The skill includes functionality for 'GBrain Sync' which can synchronize session memory to a remote GitHub repository. Additionally, it collects telemetry data, including skill usage and duration, which is stored locally and can be sent to remote endpoints depending on user configuration.
- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it processes data from external or untrusted sources such as WebSearch results, git log history, and project-specific files like CLAUDE.md.
- Ingestion points: Data enters the context via WebSearch (Phase 2), git log (Phase 1), and project documentation (Preamble).
- Boundary markers: The instructions do not define strict boundary markers or delimiters when interpolating untrusted data into the agent's context.
- Capability inventory: The skill allows the use of Bash, Write, Edit, and WebSearch tools, providing a significant capability surface if malicious instructions are ingested.
- Sanitization: The skill includes instructions for the agent to sanitize search queries by removing sensitive data such as IPs and hostnames before performing web searches.
Audit Metadata