The Agent Skills Directory

[COMMAND_EXECUTION]: The skill makes extensive use of the Bash tool to execute local binaries and scripts residing in the vendor's directory (~/.claude/skills/gstack/bin/). These tools handle repository mode detection, session management, and configuration. It also uses eval and source on the output of these binaries to dynamically set environment variables.
[EXTERNAL_DOWNLOADS]: The skill includes logic to check for updates via the gstack-update-check binary. If an update is available, it facilitates an inline upgrade process by reading new skill definitions from the vendor's local directory.
[DATA_EXFILTRATION]: An opt-in telemetry system is implemented to log skill usage. When enabled, it sends metadata such as the skill name, execution duration, and outcome to the vendor's logging service. While it excludes code and repository names from the remote transmission, repository names are collected in local analytics files (skill-usage.jsonl).
[PROMPT_INJECTION]: The skill's core functionality involves reading and reviewing user-provided design plans. These plans are processed by the primary agent, a Claude subagent, and the Codex evaluation tool. This creates a surface for indirect prompt injection, where an attacker could embed instructions in a plan file to influence the agent's behavior, bypass review logic, or exfiltrate data from the environment.
Ingestion points: The skill reads PLAN.md, CLAUDE.md, DESIGN.md, and TODOS.md as primary inputs.
Boundary markers: The instructions do not specify the use of strong delimiters or escape sequences when passing plan content to subagents or external tools.
Capability inventory: The skill has access to shell execution (Bash), file modification (Edit), and network access for local feedback loops (via a local HTTP server) and telemetry.
Sanitization: There is no evidence of automated sanitization or filtering of the content ingested from the design plans before it is processed by the AI models.

plan-design-review