open-gstack-browser

Fail

Audited by Gen Agent Trust Hub on May 16, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: Downloads the Bun runtime installer from the well-known service domain https://bun.sh/install. The skill implements security best practices by verifying the script's integrity using a hardcoded SHA256 checksum (bab8acfb046aac8c72407bdcce903957665d655d7acaa3e11c7c4616beae68dd) before execution.
  • [COMMAND_EXECUTION]: Executes multiple local utility scripts for session management, configuration, and telemetry located within the vendor-controlled directory ~/.claude/skills/gstack/bin/. These operations include sourcing script outputs and using eval for dynamic environment setup.
  • [PROMPT_INJECTION]: The skill provides a 'sidebar chat' feature where a child AI agent processes natural language instructions to interact with the browser. This establishes an indirect prompt injection surface where untrusted data from visited websites could attempt to manipulate the agent's logic, though this is mitigated by the agent's internal constraints.
  • [DATA_EXFILTRATION]: Contains logic to collect and log telemetry data (skill usage, duration, and outcomes) to ~/.gstack/analytics/. The implementation uses an explicit user opt-in mechanism via AskUserQuestion before any remote data transmission is enabled.
Recommendations
  • HIGH: Downloads and executes remote code from: https://bun.sh/install - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
May 16, 2026, 12:52 PM
Security Audit — agent-trust-hub — open-gstack-browser