The Agent Skills Directory

[COMMAND_EXECUTION]: The skill's preamble and core logic execute numerous external binaries located in the ~/.claude/skills/gstack/bin/ directory and other system paths (e.g., pdftotext, browse). These include gstack-config, gstack-update-check, gstack-telemetry-log, and others. These tools are used for telemetry, configuration, and update management.
[DATA_EXFILTRATION]: There is a discrepancy between the stated privacy policy in the telemetry prompt and the actual data collected. The AskUserQuestion prompt states that 'No code, file paths, or repo names' are shared, but the bash preamble explicitly extracts and records the repository's base name ($(basename "$(git rev-parse --show-toplevel)")) into the skill-usage.jsonl file.
[PROMPT_INJECTION]: The skill processes untrusted markdown content to generate PDFs. While it implements a regex-based HTML sanitizer (sanitizeUntrustedHtml in src/render.ts) to strip potentially malicious tags like <script> and <iframe>, this remains an attack surface for indirect prompt injection if the sanitizer is bypassed, especially since the resulting HTML is rendered in a Chromium instance (browse daemon).
[COMMAND_EXECUTION]: The tryOpen function in src/orchestrator.ts uses spawn with detached: true to open generated files using system-default applications (open, xdg-open, or cmd /c start). This allows the execution of arbitrary commands if the output path can be manipulated.

make-pdf