context-restore
Pass
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill preamble and main workflow execute multiple local binaries from the "~/.claude/skills/gstack/bin/" directory. These tools are used for session management, configuration retrieval, and project slug identification.
- [DATA_EXFILTRATION]: Usage analytics, including skill name, duration, and repository metadata, are logged to the "~/.gstack/analytics/" directory. The skill also includes an optional remote telemetry mechanism that can be enabled by the user.
- [PROMPT_INJECTION]: The context restoration feature reads external Markdown files from the local filesystem. This provides a potential surface for indirect prompt injection as these files are presented to the agent without explicit boundary markers or content sanitization.
- Ingestion points: Saved checkpoint files located in "~/.gstack/projects/$SLUG/checkpoints/" (SKILL.md).
- Boundary markers: None. The content is presented directly to the agent context.
- Capability inventory: The skill uses the Bash, Read, Glob, and Grep tools.
- Sanitization: The skill does not sanitize or validate the content of the restored context files before processing.
Audit Metadata