landing-report

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The skill advertises "No mutations — just a snapshot" but the prompt embeds numerous side-effecting, potentially opaque instructions (touching files, writing telemetry/analytics, AskUserQuestion-driven writes, editing/committing CLAUDE.md, git rm of vendored code, artifact sync prompts and remote telemetry) that change state or ask to exfiltrate/sync data — behavior outside the claimed read-only scope and therefore a hidden/deceptive instruction set.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches and reads live repository and PR data from third-party sources (e.g., the gh calls in "Step 1: Detect platform and base branch", git fetch/git show in "Step 2", and the bin/gstack-next-version calls in "Step 3", plus remote gbrain/artifacts URLs read from ~/.gstack-artifacts-remote.txt), so it ingests untrusted, user-generated content that can influence the reported next actions and decisions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (low risk: 0.30). The skill is mostly read-only but explicitly performs local mutations (mkdir/touch, telemetry/analytics writes) and contains conditional repo-mutating actions (creating/appending CLAUDE.md and running git commit or git rm for vendored files), so it can change the host workspace but does not request sudo, edit system files, or create users.