Skills
skills/garrytan/gstack/review/Snyk

review

Fail

Audited by Snyk on May 11, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E004: Prompt injection detected in skill instructions.

  • Potential prompt injection detected (high risk: 0.80). The skill contains deceptive/out-of-scope behaviors: it promises telemetry "No code, file paths, or repo names" yet the preamble logs the repo basename to analytics, and it includes numerous side-effecting instructions (auto-creating/committing CLAUDE.md, changing configs, auto-upgrades, telemetry toggles) that go beyond a transparent "pre-landing PR review" and could surreptitiously mutate user repos or exfiltrate metadata.

CRITICAL E006: Malicious code pattern detected in skill scripts.

  • Malicious code pattern detected (high risk: 0.85). The workflow frequently executes and evals output from local helper binaries (e.g. ~/.claude/skills/gstack/bin/* via eval/source), runs git/network syncs (gstack-brain-sync, artifact sync, telemetry) and can auto-write/commit repo files—together these allow remote code execution, supply‑chain updates, or silent exfiltration of repo/artifacts if the helper binaries or remote endpoints are malicious or compromised.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests user-generated GitHub PR bodies and line-level comments via gh/gh api (see Step 1.5 / Step 2.5 and greptile-triage.md) and uses those artifacts to drive triage, findings, and fix/ask decisions, which exposes the agent to untrusted third-party content that could enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill calls GitHub CLI / API at runtime (gh pr view / gh api → https://api.github.com/...) and reads the repo remote URL (git remote get-url origin, e.g. git@github.com:owner/repo.git or https://github.com/owner/repo.git) to fetch PR bodies and Greptile comments which are then injected into the review workflow and can directly control prompts/decisions.

Issues (4)

E004
CRITICAL

Prompt injection detected in skill instructions.

E006
CRITICAL

Malicious code pattern detected in skill scripts.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
CRITICAL
Analyzed
May 11, 2026, 08:07 PM
Issues
4