health

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.80). The skill includes deceptive/out-of-scope instructions: it promises telemetry will not include repo names yet its preamble writes the repo basename into the telemetry/analytics file, and it contains conditional repo-modifying/upgrade actions (appending/committing CLAUDE.md, git rm of vendored code, auto-upgrade flows, artifact sync prompts) that go beyond the stated read-only/dashboard purpose.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly reads and parses the project's CLAUDE.md "## Health Stack" section (Step 1) and then runs the listed tool commands verbatim, and it also may run git fetch / gstack-brain-sync against configured remote artifact repos during the Artifacts Sync preamble—so untrusted repository or remote content can be ingested and directly influence what commands the agent executes.