design-consultation
Fail
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches the Bun runtime installer from
https://bun.sh/install, which is a well-known service. - [REMOTE_CODE_EXECUTION]: Executes the downloaded Bun installer script using the system shell (
bash). The process includes a SHA256 checksum verification step to ensure file integrity before execution. - [COMMAND_EXECUTION]: Utilizes extensive shell commands for environment preparation, configuration management, and execution of local binaries within the
gstacktool suite (e.g.,gstack-config,gstack-update-check,gstack-slug). - [DATA_EXFILTRATION]: Implements telemetry logging to track skill usage, duration, and device identifiers, which are sent to the vendor's infrastructure using the
gstack-telemetry-logutility. The preamble explicitly informs the user about this collection. - [PROMPT_INJECTION]: Exposes an indirect prompt injection surface (Category 8) by processing untrusted data.
- Ingestion points: Reads project-specific files such as
README.mdandpackage.json, and ingests external content viaWebSearchresults. - Boundary markers: The skill lacks explicit boundary markers or instructions to ignore embedded commands when processing external data.
- Capability inventory: The agent has capabilities to execute
Bashcommands and performWriteorEditoperations on the local filesystem. - Sanitization: No sanitization or filtering of external data is performed before it is used to inform design proposals.
- Mitigation: The risk is mitigated by the mandatory use of the
AskUserQuestiontool, which requires human approval before the design system is finalized or written to files.
Recommendations
- HIGH: Downloads and executes remote code from: https://bun.sh/install - DO NOT USE without thorough review
Audit Metadata