Security Audit

garrytan/gstack:browse

github.com/garrytan/gstack

AI SkillCommit e8893a18b18e

CRITICAL

Scanned about 2 months ago

135

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

garrytan/gstack:browse received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 183 findings: 135 critical, 45 high, 2 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Network egress to untrusted endpoints, Unsafe environment variable passthrough.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on April 29, 2026 (commit e8893a18). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

Static Code Analysis

Dependency Graph

100%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Network Access

121 findings

Filesystem Write

96 findings

Shell Execution

59 findings

Dynamic Code

5 findings

Excessive Permissions

84 findings

Security Findings183

Severity	Finding	Layer	Location
CRITICAL	Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	browse/src/cookie-import-browser.ts:202
CRITICAL	Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	browse/src/cookie-picker-ui.ts:114
CRITICAL	Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	browse/src/cookie-picker-ui.ts:120
CRITICAL	Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	browse/src/cookie-picker-ui.ts:130
CRITICAL	Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	browse/src/cookie-picker-ui.ts:131
CRITICAL	Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	browse/src/cookie-picker-ui.ts:483
CRITICAL	Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	browse/src/cookie-picker-ui.ts:484
CRITICAL	Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/content-security.test.ts:128
CRITICAL	Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/content-security.test.ts:136
CRITICAL	Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/security-integration.test.ts:59
CRITICAL	Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/security-integration.test.ts:60
CRITICAL	Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/security-integration.test.ts:127
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/src/browse-client.ts:151
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/src/cli.ts:115
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/src/cli.ts:412
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/src/cli.ts:621
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/src/cli.ts:679
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/src/cli.ts:806
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/src/cli.ts:873
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/src/cli.ts:939
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/src/cookie-import-browser.ts:884
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/src/cookie-import-browser.ts:892
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/src/cookie-picker-routes.ts:86
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/src/cookie-picker-ui.ts:11
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/src/server.ts:230
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/src/server.ts:1390
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/src/server.ts:2014
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/src/server.ts:2041
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/src/terminal-agent.ts:493
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/src/write-commands.ts:750
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/src/write-commands.ts:758
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/src/write-commands.ts:1208
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/batch.test.ts:19
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/cookie-picker-routes.test.ts:32
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/cookie-picker-routes.test.ts:41
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/cookie-picker-routes.test.ts:48
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/cookie-picker-routes.test.ts:64
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/cookie-picker-routes.test.ts:69
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/cookie-picker-routes.test.ts:76
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/cookie-picker-routes.test.ts:83
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/cookie-picker-routes.test.ts:91
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/cookie-picker-routes.test.ts:108
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/cookie-picker-routes.test.ts:125
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/cookie-picker-routes.test.ts:169
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/cookie-picker-routes.test.ts:199
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/cookie-picker-routes.test.ts:219
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/cookie-picker-routes.test.ts:235
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/cookie-picker-routes.test.ts:256
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/cookie-picker-routes.test.ts:261
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/cookie-picker-routes.test.ts:269
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/cookie-picker-routes.test.ts:279
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/cookie-picker-routes.test.ts:303
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/cookie-picker-routes.test.ts:322
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/cookie-picker-routes.test.ts:344
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/cookie-picker-routes.test.ts:361
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/cookie-picker-routes.test.ts:378
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/cookie-picker-routes.test.ts:394
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/cookie-picker-routes.test.ts:409
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/cookie-picker-routes.test.ts:433
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/pair-agent-e2e.test.ts:73
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/pair-agent-tunnel-eval.test.ts:99
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/pair-agent-tunnel-eval.test.ts:102
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/pair-agent-tunnel-eval.test.ts:211
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/sidebar-integration.test.ts:29
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/sidebar-tabs.test.ts:247
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/sse-session-cookie.test.ts:120
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/tab-isolation.test.ts:131
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/tab-isolation.test.ts:136
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/terminal-agent-integration.test.ts:76
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/terminal-agent-integration.test.ts:93
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/terminal-agent-integration.test.ts:107
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/terminal-agent-integration.test.ts:113
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/terminal-agent-integration.test.ts:120
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/terminal-agent-integration.test.ts:211
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/terminal-agent-integration.test.ts:231
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/terminal-agent.test.ts:70
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/terminal-agent.test.ts:77
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/test-server.ts:47
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/url-validation.test.ts:21
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/url-validation.test.ts:59
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/url-validation.test.ts:125
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/url-validation.test.ts:232
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	browse/test/welcome-page.test.ts:30
CRITICAL	Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	browse/src/security-classifier.ts:473
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:7
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:13
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:17
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:21
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:26
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:32
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:35
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:43
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:44
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:50
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:56
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:61
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:66
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:77
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:78
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:94
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:96
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:101
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:102
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:115
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:142
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:152
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:153
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:170
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:171
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:216
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:232
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:234
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:240
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:258
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:259
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:322
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:323
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:368
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:387
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:393
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:394
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:404
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/SKILL.md:611
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/src/commands.ts:290
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/src/security.ts:395
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	browse/test/find-browse.test.ts:12
CRITICAL	Credential harvesting macOS Keychain credential access Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores.	Manifest	browse/test/cookie-import-browser.test.ts:161
CRITICAL	Command Injection via 'eval' with untrusted binary output The skill uses 'eval' to execute the output of the 'gstack-slug' binary. If an attacker can compromise or manipulate the 'gstack-slug' binary (e.g., by replacing it with a malicious script or influencing its output), they could inject arbitrary shell commands to be executed by 'eval'. This is a classic command injection vulnerability. Avoid using 'eval' with external command output. If the output is expected to be a simple variable assignment (e.g., `VAR="value"`), parse it more safely or use a different mechanism to set the variable. For example, if `gstack-slug` outputs `SLUG=value`, use `SLUG=$(~/.claude/skills/gstack/bin/gstack-slug \| cut -d'=' -f2)` (assuming the output format is strictly controlled and safe).	Static	SKILL.md:45
CRITICAL	Command Injection via 'eval' with untrusted binary output (second instance) The same command injection vulnerability using 'eval' with the output of 'gstack-slug' is present in another section of the skill. Avoid using 'eval' with external command output. If the output is expected to be a simple variable assignment (e.g., `VAR="value"`), parse it more safely or use a different mechanism to set the variable. For example, if `gstack-slug` outputs `SLUG=value`, use `SLUG=$(~/.claude/skills/gstack/bin/gstack-slug \| cut -d'=' -f2)` (assuming the output format is strictly controlled and safe).	Static	SKILL.md:150
CRITICAL	Path Traversal in 'domain-skill save' command via --from-file The `handleSave` function in `src/domain-skill-commands.ts` reads the skill body from a file specified by `--from-file <path>`. The `filePath` is taken directly from command arguments without validation using `validateReadPath`. This allows an attacker to specify an arbitrary file path (e.g., `/etc/passwd`) and read its content, leading to data exfiltration. Before reading the file, validate the `filePath` using `validateReadPath(filePath)` from `src/path-security.ts` to ensure it is within allowed directories (e.g., temporary directories or the current working directory).	Static	src/domain-skill-commands.ts:50
CRITICAL	Path Traversal in 'pdf' command via --from-file The `parsePdfArgs` function in `src/meta-commands.ts` handles a `--from-file <path>` argument for PDF options. The `payloadPath` is then passed to `parsePdfFromFile` which reads its content without validation using `validateReadPath`. This allows an attacker to specify an arbitrary file path (e.g., `/etc/shadow`) and read its content, leading to data exfiltration. Before reading the file, validate the `payloadPath` using `validateReadPath(payloadPath)` from `src/path-security.ts` within the `parsePdfFromFile` function to ensure it is within allowed directories.	Static	src/meta-commands.ts:149
CRITICAL	Path Traversal in 'network --export' command The `handleNetworkCommand` in `src/read-commands.ts` allows exporting captured network responses to a user-specified file path via `--export <file>`. The `filePath` is taken directly from command arguments and passed to `exportCapture` without validation using `validateOutputPath`. This allows an attacker to write arbitrary network response data to any location on the filesystem. Before calling `exportCapture(filePath)`, validate the `filePath` using `validateOutputPath(filePath)` from `src/path-security.ts` to ensure it is written only to allowed directories (e.g., temporary directories or the current working directory).	Static	src/read-commands.ts:197
CRITICAL	Path Traversal in 'cookies --export' command The `handleCookiesCommand` in `src/read-commands.ts` allows exporting cookies to a user-specified file path via `--export <file>`. The `filePath` is taken directly from command arguments and passed to `fs.writeFileSync` without validation using `validateOutputPath`. This allows an attacker to write arbitrary cookie data to any location on the filesystem. Before calling `fs.writeFileSync(filePath, ...)`, validate the `filePath` using `validateOutputPath(filePath)` from `src/path-security.ts` to ensure it is written only to allowed directories.	Static	src/read-commands.ts:234
CRITICAL	Path Traversal in 'storage --export' command The `handleStorageCommand` in `src/read-commands.ts` allows exporting local/session storage to a user-specified file path via `--export <file>`. The `filePath` is taken directly from command arguments and passed to `fs.writeFileSync` without validation using `validateOutputPath`. This allows an attacker to write arbitrary storage data to any location on the filesystem. Before calling `fs.writeFileSync(filePath, ...)`, validate the `filePath` using `validateOutputPath(filePath)` from `src/path-security.ts` to ensure it is written only to allowed directories.	Static	src/read-commands.ts:269
CRITICAL	Path Traversal in 'perf --export' command The `handlePerfCommand` in `src/read-commands.ts` allows exporting performance metrics to a user-specified file path via `--export <file>`. The `filePath` is taken directly from command arguments and passed to `fs.writeFileSync` without validation using `validateOutputPath`. This allows an attacker to write arbitrary performance data to any location on the filesystem. Before calling `fs.writeFileSync(filePath, ...)`, validate the `filePath` using `validateOutputPath(filePath)` from `src/path-security.ts` to ensure it is written only to allowed directories.	Static	src/read-commands.ts:298
HIGH	Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough.	Manifest	browse/src/browser-skill-commands.ts:369
HIGH	Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough.	Manifest	browse/test/commands.test.ts:723
HIGH	Dangerous tool allowed: Bash The skill allows the 'Bash' tool without constraints. This grants arbitrary command execution. Remove unconstrained shell/exec tools from allowed-tools, or add specific command constraints.	Static	browse/SKILL.md:1
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:7
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:13
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:17
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:21
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:26
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:32
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:35
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:43
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:44
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:50
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:56
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:61
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:66
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:77
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:78
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:94
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:96
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:101
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:102
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:115
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:142
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:152
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:153
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:170
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:171
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:216
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:232
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:234
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:240
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:258
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:259
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:322
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:323
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:368
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:387
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:393
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:394
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:404
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	browse/SKILL.md:611
HIGH	Data Exfiltration / Prompt Injection via echoing user-controlled file content The skill reads the content of `~/.gstack-brain-remote.txt` into `_BRAIN_NEW_URL` and then echoes it. If this user-controlled file contains sensitive information, it could be exfiltrated. If it contains malicious instructions (e.g., 'ignore previous instructions'), it could lead to prompt injection. Avoid echoing content from user-controlled files directly. If the content must be displayed, ensure it is properly sanitized to prevent both data exfiltration and prompt injection. Consider using a dedicated display mechanism that does not interpret the content as instructions.	Static	SKILL.md:170
HIGH	Data Exfiltration / Prompt Injection via echoing user-controlled file content (second instance) The skill reads the content of `~/.gstack/.brain-last-push` into `_BRAIN_LAST_PUSH` and then echoes it. If this user-controlled file contains sensitive information, it could be exfiltrated. If it contains malicious instructions, it could lead to prompt injection. Avoid echoing content from user-controlled files directly. If the content must be displayed, ensure it is properly sanitized to prevent both data exfiltration and prompt injection. Consider using a dedicated display mechanism that does not interpret the content as instructions.	Static	SKILL.md:186
HIGH	Supply Chain Risk: Downloading and executing external script The skill downloads and executes an installation script from 'https://bun.sh/install'. While a SHA256 checksum is performed, this still introduces a supply chain risk. A compromise of 'bun.sh' or a vulnerability in the installation script could lead to arbitrary code execution on the user's system. Relying on external scripts for core dependencies is generally discouraged. Prefer bundling dependencies or using a trusted package manager. If external downloads are unavoidable, implement stricter verification (e.g., GPG signatures) and consider sandboxing the execution environment. Regularly audit the source of such scripts.	Static	SKILL.md:248
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	browse/SKILL.md:51
MEDIUM	Command Injection via EDITOR environment variable in 'domain-skill edit' The `handleEdit` function in `src/domain-skill-commands.ts` executes the program specified by the `EDITOR` environment variable. If a user has configured `EDITOR` to a malicious command, this could lead to arbitrary code execution. While this is often considered a user configuration risk, the skill directly invokes it without sanitization or warning. Consider sanitizing the `EDITOR` environment variable or providing a warning to the user about the risks of setting it to untrusted executables. Alternatively, restrict the allowed editors to a safe list or provide an in-skill editing mechanism.	Static	src/domain-skill-commands.ts:150
INFO	Credential Harvesting (Intended Functionality) The `cookie-import-browser.ts` module explicitly accesses browser cookie databases and system credential stores (macOS Keychain, Linux secret-tool, Windows DPAPI) to decrypt and import cookies. This is a core, declared functionality of the skill. While it involves handling sensitive credentials, it appears to be an intended feature rather than an unintended vulnerability. The risk lies in potential misuse of this functionality or insecure handling of the extracted credentials post-import. Ensure that all extracted credentials are handled with the highest security standards, including strict access controls, encryption at rest, and ephemeral storage. Provide clear warnings and consent mechanisms to users regarding the sensitive nature of this operation.	Static	src/cookie-import-browser.ts:200

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/19960d84a3fe816d.svg)](https://skillshield.io/report/19960d84a3fe816d)