open-gstack-browser
Pass
Audited by Gen Agent Trust Hub on May 3, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads the 'bun' installer from 'https://bun.sh/install' if the runtime is missing. This source is a well-known service, and the skill performs a SHA-256 checksum verification before execution.\n- [REMOTE_CODE_EXECUTION]: The script executes the downloaded 'bun' installer via
bash. This execution is guarded by checksum validation and targets a well-known service.\n- [COMMAND_EXECUTION]: The skill interacts with several local binaries provided by the vendor (located in~/.claude/skills/gstack/bin/) for configuration, telemetry, and repo management. It usesevalandsourceto process the output of these binaries.\n- [DATA_EXFILTRATION]: Telemetry regarding skill usage is collected and stored in~/.gstack/analytics/. Users are prompted to configure telemetry preferences (including opting out) during the skill's initial run.\n- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface through its browser automation capabilities.\n - Ingestion points: Web page content is ingested via the
$B snapshotcommand inSKILL.md.\n - Boundary markers: No explicit delimiters or instructions are used to separate external web data from agent instructions.\n
- Capability inventory: The skill can execute shell commands via
Bash, read files, and prompt the user.\n - Sanitization: External content is not sanitized before being processed by the agent. This is a common and expected risk for browser-focused skills.
Audit Metadata