plan-eng-review
Pass
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill's preamble and multiple workflow components use the
Bashtool for session management, verifying repository state, checking for skill updates, and managing local configuration files in~/.gstack/. - [DATA_EXFILTRATION]: The skill collects telemetry related to its execution (e.g., skill name, duration, outcome, and repository name). While this data is stored locally in
~/.gstack/analytics/, it can be sent to a remote vendor endpoint via thegstack-telemetry-logbinary. This behavior is preceded by a mandatory user opt-in prompt. - [INDIRECT_PROMPT_INJECTION]: The skill reads and processes potentially untrusted content from the project environment, including design documents,
CLAUDE.md, andTODOS.md. It also ingests output from external AI models used in its 'Outside Voice' feature. - Ingestion points:
CLAUDE.md,TODOS.md, project design documents, and outputs from sub-agents/Codex. - Boundary markers: XML-style tags (e.g.,
<plan content>) are used in some prompts to delimit ingested data. - Capability inventory: The skill possesses significant capabilities including
Bashfor command execution,Writefor modifying project files, and the ability to trigger remote execution viacodex exec. - Sanitization: External content is interpolated into analysis prompts; while some delimiters are used, there is no evidence of strict content sanitization or filtering.
- [DYNAMIC_EXECUTION]: The skill uses
evalandsourceshell commands to dynamically execute outputs from its own internal binaries (gstack-slug,gstack-repo-mode). This is used for setting environment variables and determining project-specific slugs.
Audit Metadata