The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The preamble and Step 5 utilize eval and source on the output of several binaries located in ~/.claude/skills/gstack/bin/ (e.g., gstack-slug, gstack-repo-mode). Dynamically executing shell code generated by other processes is a high-risk pattern that could lead to arbitrary command execution if the helper binaries are compromised.
[COMMAND_EXECUTION]: In Step 2, the skill executes commands retrieved from the project's CLAUDE.md file under the ## Health Stack section. The instructions explicitly state to "Respect CLAUDE.md" and "use those exact commands" without further validation. This creates a significant risk of indirect command injection if an attacker modifies the project configuration (e.g., via a malicious pull request).
[DATA_EXFILTRATION]: The skill implements telemetry logging and artifact synchronization. It attempts to send usage metadata (skill name, duration, session ID) to external servers via gstack-telemetry-log. Additionally, the GBrain feature offers to sync sensitive project artifacts like CEO plans and design reports to a private GitHub repository. While these features are presented as opt-in via AskUserQuestion, they constitute a capability for automated data movement.
[REMOTE_CODE_EXECUTION]: The skill mentions an "Inline upgrade flow" that involves reading and following instructions from a separate file (~/.claude/skills/gstack/gstack-upgrade/SKILL.md). This multi-step loading process can be used to introduce new executable instructions from outside the initial skill context.
[COMMAND_EXECUTION]: The skill performs automated tool detection and offers to write the results back to CLAUDE.md. While this is a setup feature, it involves the agent programmatically defining the commands it will later execute, which can be manipulated if the file system state is untrusted.

health