sync-gbrain

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (medium risk: 0.60). The skill quietly records telemetry (including the repo basename) and auto-writes analytics/telemetry files while its user-facing prompt claims "No code, file paths, or repo names," which is a deceptive/contradictory behavior outside the core "sync gbrain" purpose.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly fetches and syncs code/artifacts from remote git remotes and gbrain sources (e.g., the git fetch/merge in the Artifacts Sync section and the gstack-gbrain-sync/gbrain reindex and gbrain search/put calls, plus reading a remote artifacts URL from ~/.gstack-artifacts-remote.txt and claude.json mcpServers.gbrain.url), so it ingests untrusted/user-hosted repo content and uses those results to decide actions (reindex, capability checks, and updates to CLAUDE.md) — allowing third-party content to materially influence tool use and next steps.