qa
Pass
Audited by Gen Agent Trust Hub on May 3, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads the Bun installation script from bun.sh if the runtime is not detected. This targets a well-known service in the technology ecosystem, and the script's integrity is verified using a hardcoded SHA-256 checksum before execution.
- [REMOTE_CODE_EXECUTION]: The skill executes the downloaded Bun installation script via the shell to set up the necessary runtime. This is a common and documented setup pattern for tools within the gstack ecosystem.
- [COMMAND_EXECUTION]: The skill sources and evaluates output from several local helper binaries located in ~/.claude/skills/gstack/bin/ (such as gstack-slug and gstack-repo-mode). These are used for environment variable setup, session tracking, and configuration management.
- [DATA_EXFILTRATION]: The skill implements a telemetry system that logs usage statistics and performance metrics. This behavior is documented and opt-in; the agent is instructed to ask for user permission before enabling remote data sharing.
- [PROMPT_INJECTION]: An indirect prompt injection surface is present because the skill ingests and processes content from target web application URLs and project documentation (e.g., CLAUDE.md, TESTING.md).
- Ingestion points: Web browser content and local project documentation files.
- Boundary markers: No explicit delimiters or instructions to ignore embedded commands are used for processed data.
- Capability inventory: The skill can execute shell commands and modify the local filesystem, providing a potential path for exploitation of injected instructions.
- Sanitization: No explicit sanitization or validation of ingested content is performed.
Audit Metadata