Skills
skills/garrytan/gstack/context-restore/Gen Agent Trust Hub

context-restore

Pass

Audited by Gen Agent Trust Hub on May 20, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by reading and displaying the content of .md checkpoint files.
  • Ingestion points: The restoration workflow in SKILL.md reads checkpoint files from ~/.gstack/projects/$SLUG/checkpoints.
  • Boundary markers: The ingested content, including summaries, remaining work, and notes, is presented to the agent without boundary markers or specific instructions to ignore embedded commands.
  • Capability inventory: The agent has access to Bash, Read, Glob, Grep, and AskUserQuestion tools, and can perform file system writes and Git commits.
  • Sanitization: There is no evidence of sanitization or validation of the input checkpoint files before they are displayed and processed by the agent.
  • [COMMAND_EXECUTION]: The skill uses the Bash tool to execute numerous local binaries within the ~/.claude/skills/gstack/bin/ directory for configuration, telemetry, and state management. It also uses eval and source on the output of these binaries.
  • [COMMAND_EXECUTION]: The skill performs Git operations including git fetch, git merge, git add, and git commit to synchronize context and update the project's CLAUDE.md file with routing rules.
  • [DATA_EXFILTRATION]: Usage analytics (skill names, durations, and repository names) are logged to ~/.gstack/analytics/ and may be sent to a remote telemetry endpoint if enabled.
  • [EXTERNAL_DOWNLOADS]: The skill references the external domain garryslist.org for documentation and may download state or artifacts from user-configured remote Git repositories during synchronization.
Audit Metadata
Risk Level
SAFE
Analyzed
May 20, 2026, 05:21 PM
Security Audit — agent-trust-hub — context-restore