plan-devex-review
Pass
Audited by Gen Agent Trust Hub on May 3, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool extensively in its preamble and throughout its workflow to execute local binaries located in
~/.claude/skills/gstack/bin/. These commands manage session state, telemetry, configuration, and project context recovery (e.g.,gstack-config,gstack-slug,gstack-telemetry-log). - [DATA_EXFILTRATION]: The skill includes a telemetry system and an optional 'GBrain Sync' feature. Telemetry logs skill usage details (duration, outcome, repo name) to
~/.gstack/analytics/and a remote log. The 'GBrain Sync' feature allows users to synchronize session memory to a private GitHub repository. Both features are transparently presented to the user viaAskUserQuestionprompts for explicit consent. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads untrusted project data (e.g., plan files, README.md, package.json) and interpolates this content into prompts for external review agents (like Codex or a sub-agent). However, it mitigates this by including explicit boundary instructions (e.g., 'Do NOT read or execute any files under ~/.claude/...') and framing the external review within a highly structured prompt.
- [COMMAND_EXECUTION]: During the 'Outside Voice' review phase, the skill may invoke the
codex execcommand or a sub-agent to provide an independent critique of the development plan. This is a core feature for cross-model verification. - [SAFE]: The skill follows established patterns for the 'gstack' suite of tools, using a local home directory for persistence and providing granular user control over optional features.
Audit Metadata