Skills
skills/garrytan/gstack/landing-report/Gen Agent Trust Hub

landing-report

Warn

Audited by Gen Agent Trust Hub on May 16, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill's preamble executes extensive shell commands to manage session files, check configurations, and verify the local environment.
  • [REMOTE_CODE_EXECUTION]: The skill synchronizes the ~/.gstack directory using git fetch and git merge, and executes multiple binaries from ~/.claude/skills/gstack/bin/ to perform updates, telemetry, and configuration management.
  • [DYNAMIC_EXECUTION]: Uses eval and source with process substitution to execute dynamically generated output from internal utility tools like gstack-slug and gstack-repo-mode.
  • [DATA_EXPOSURE]: Reads ~/.claude.json, which may contain sensitive information about MCP server configurations and transport settings.
  • [DATA_EXFILTRATION]: Telemetry data, including skill identifiers, execution duration, and outcome status, is transmitted to an external service via the gstack-telemetry-log utility.
  • [EXTERNAL_DOWNLOADS]: Performs network operations to check for updates and synchronize project-specific artifacts from remote repositories into the ~/.gstack directory.
  • [METADATA_POISONING]: Suggests modifying the project's CLAUDE.md file to inject routing rules that dictate how the agent should handle future user requests.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 16, 2026, 06:25 PM
Security Audit — agent-trust-hub — landing-report