pair-agent

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly requires printing the full instruction block verbatim (which contains one-time setup keys/session tokens) and asks the agent to accept and insert user-provided ngrok auth tokens into commands, forcing the LLM to handle and output secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's workflow and preamble explicitly fetch and ingest remote content—e.g., the "Artifacts Sync" steps (reading ~/.gstack-artifacts-remote.txt, running git fetch origin and gstack-brain-sync, and using a remote GBrain via an MCP URL) and the pairing flow that lets a remote agent browse arbitrary web pages and read page HTML—which are untrusted/third‑party sources that the agent will read and that can influence subsequent tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's runtime setup step downloads and executes the bun installer script from https://bun.sh/install (curl -fsSL "https://bun.sh/install" -> bash "$tmpfile"), which fetches and runs remote code as a required dependency.