scrape
Pass
Audited by Gen Agent Trust Hub on May 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's preamble executes a wide array of local utility binaries (e.g.,
gstack-config,gstack-slug,gstack-timeline-log) and shell commands to manage configuration, sessions, and telemetry. It uses dynamic execution viaevalandsourceon the output of local vendor tools. - [DATA_EXFILTRATION]: The skill includes logic for synchronizing project artifacts to a remote repository and logging usage telemetry. These features are designed to trigger only after explicit user consent is obtained via the
AskUserQuestiontool. - [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill ingests untrusted data from external websites via the
$B(browser) toolset. This content is processed by the AI to extract structured information, posing a risk of indirect prompt injection if the source content contains malicious instructions. - Ingestion points: Web page content (text and HTML) accessed via
$B snapshotand$B htmlinSKILL.md. - Boundary markers: No specific delimiters or instructions are provided to separate scraped content from the agent's internal instructions.
- Capability inventory: The skill allows access to powerful tools including
BashandRead. - Sanitization: There is no evidence of explicit sanitization or filtering applied to the retrieved web data before processing.
Audit Metadata