The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses eval and source commands in its preamble to execute the output of local binaries like gstack-slug and gstack-repo-mode. This dynamic execution of shell commands generated at runtime represents a security risk if the binaries or their outputs are compromised.
[DATA_EXFILTRATION]: The skill contains a telemetry system that collects usage metadata, including skill names, execution durations, outcomes, and repository names. While it includes a prompt for user consent, the underlying mechanism transmits project and environment metadata to an external service via gstack-telemetry-log.
[EXTERNAL_DOWNLOADS]: The 'Artifacts Sync' feature periodically performs git fetch and git merge operations from a remote repository into the user's ~/.gstack directory to synchronize project artifacts.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads and processes documentation files from the current repository. Evidence chain:
Ingestion points: Documentation files such as README.md, ARCHITECTURE.md, CONTRIBUTING.md, CLAUDE.md, and others are read and processed during the audit in Step 2.
Boundary markers: Absent; the content of these files is ingested without delimiters or specific instructions to ignore embedded commands.
Capability inventory: The skill has significant capabilities, including the ability to write files, edit content, execute shell commands, perform git commits and pushes, and update PR/MR metadata via platform CLIs.
Sanitization: Absent; the skill does not explicitly sanitize or validate the content of the documentation files before using them to suggest updates or commit changes.
[COMMAND_EXECUTION]: The workflow performs several automated operations that modify the repository and platform state, including creating commits, pushing branches, and using the gh or glab CLI tools to edit PR/MR descriptions and titles.

document-release