context-restore

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The skill claims to only read and present saved context, but the prompt includes numerous explicit instructions (telemetry writes, config changes, file touches, git commits, CLI upgrades, routing injection prompts, and other mutating actions) that go beyond and can change user files/state, so it contains deceptive/out-of-scope instructions.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's preamble "Artifacts Sync" and GBrain sections (e.g., running git fetch/merge and "~/.claude/skills/gstack/bin/gstack-brain-sync" and honoring a remote artifacts URL / remote GBrain MCP) explicitly pull from remote Git/GitHub/GitLab or remote MCP/http servers and may open external URLs, which the skill then reads and uses to inform suggestions and resume decisions, exposing it to untrusted third‑party content.