zstack-ops

Warn

Audited by Gen Agent Trust Hub on Jul 5, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses curl to interact with the ZStack API at https://zergstack.com and executes fly CLI commands for infrastructure management and debugging.
  • [DATA_EXFILTRATION]: Accesses the sensitive file ~/.fly/config.yml to retrieve FLY_ACCESS_TOKEN for authenticating Fly.io commands. It also uses a local file /private/tmp/zstack-cookie.txt to store and retrieve session cookies for ZStack API calls.
  • [PROMPT_INJECTION]: The skill ingests and processes external data from deployment logs, environment statuses, and local project configuration files, creating a surface for indirect prompt injection.
  • Ingestion points: The agent reads deployment errors, status fields, and streams logs via the ZStack API, and inspects local files like zstack.yaml, fly.toml, and Dockerfile (as seen in SKILL.md).
  • Boundary markers: No specific boundary markers or instructions to ignore embedded commands are present when processing this data.
  • Capability inventory: The skill has the capability to perform network requests (curl), execute infrastructure commands (fly), and read/write local files.
  • Sanitization: There are no explicit sanitization or validation steps mentioned for the ingested data.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jul 5, 2026, 06:06 PM
Security Audit — agent-trust-hub — zstack-ops