context-restore

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The skill advertises a read-only "restore context" operation but contains explicit instructions to modify config, write files, run upgrade flows, and even create/commit CLAUDE.md and change telemetry—actions outside and contradictory to its stated scope, so it includes deceptive/out-of-scope instructions.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's "Artifacts Sync" preamble and restore workflow explicitly run git fetch/merge and gstack-brain-sync (and may call gbrain in remote-http mode), which pulls content from remote Git/GitLab/GitHub or brain servers and then reads those fetched artifacts/checkpoint .md files as part of its decision/workflow, exposing the agent to untrusted third-party content that could contain instructions.