setup-gbrain

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). Most secrets are handled via read_secret_to_env and environment variables (never logged), but the skill explicitly instructs registering a remote MCP with a header ("claude mcp add --header 'Authorization: Bearer ...'") which places the bearer token on the command line/argv (and thus would require the agent to handle/emit the secret in a command invocation), so it includes an insecure argv/auth-token pattern.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly fetches and syncs external repositories and services (e.g., the preamble runs git fetch origin on ~/.gstack, Step 7's artifacts sync and gstack-artifacts-init with GitHub/GitLab, and Path 4 verifies and queries a remote gbrain MCP URL), and the workflow/README states those fetched pages and gbrain query results are rendered into the skill preamble/context (gstack-brain-context-load) that the agent reads and uses to make decisions—so untrusted, user-generated third‑party content is ingested and can influence tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs curl against the Supabase API at runtime (https://api.supabase.com/v1/projects) using a user-provided PAT to list projects (which is used to populate per-project confirmation prompts) and to DELETE orphan projects on confirmation, so an external URL is being queried at runtime and its responses directly drive prompts and remote actions.