zstack-ops
Warn
Audited by Gen Agent Trust Hub on Jul 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
curlto interact with the ZStack API athttps://zergstack.comand executesflyCLI commands for infrastructure management and debugging. - [DATA_EXFILTRATION]: Accesses the sensitive file
~/.fly/config.ymlto retrieveFLY_ACCESS_TOKENfor authenticating Fly.io commands. It also uses a local file/private/tmp/zstack-cookie.txtto store and retrieve session cookies for ZStack API calls. - [PROMPT_INJECTION]: The skill ingests and processes external data from deployment logs, environment statuses, and local project configuration files, creating a surface for indirect prompt injection.
- Ingestion points: The agent reads deployment errors, status fields, and streams logs via the ZStack API, and inspects local files like
zstack.yaml,fly.toml, andDockerfile(as seen inSKILL.md). - Boundary markers: No specific boundary markers or instructions to ignore embedded commands are present when processing this data.
- Capability inventory: The skill has the capability to perform network requests (
curl), execute infrastructure commands (fly), and read/write local files. - Sanitization: There are no explicit sanitization or validation steps mentioned for the ingested data.
Audit Metadata