Security Audit

garrytan/gstack:land-and-deploy

github.com/garrytan/gstack

AI SkillCommit dbd7aee5b6b5

CRITICAL

Scanned 20 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

garrytan/gstack:land-and-deploy received a trust score of 0/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 80 findings: 38 critical, 40 high, 1 medium, and 0 low severity. Key findings include File read + network send exfiltration, Dangerous tool allowed: Bash, Sensitive environment variable access: $HOME.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on April 9, 2026 (commit dbd7aee5). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

Static Code Analysis

Dependency Graph

100%

LLM Behavioral Safety

Behavioral Risk Signals

Network Access

38 findings

Filesystem Write

75 findings

Shell Execution

42 findings

Dynamic Code

5 findings

Excessive Permissions

77 findings

Security Findings80

Severity	Finding	Layer	Location
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:7
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:13
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:17
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:21
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:26
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:39
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:40
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:47
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:53
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:59
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:65
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:89
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:91
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:117
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:128
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:129
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:149
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:150
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:199
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:222
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:224
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:230
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:295
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:371
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:415
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:441
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:447
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:448
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:508
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:542
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:695
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:866
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:959
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:1005
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:1276
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	land-and-deploy/SKILL.md:1530
CRITICAL	Command Injection via `source` of external binary output The skill uses `source <(~/.claude/skills/gstack/bin/gstack-repo-mode 2>/dev/null)` which executes the output of the `gstack-repo-mode` binary directly in the current shell context. If an attacker can control the output of `gstack-repo-mode` (e.g., by manipulating its environment, configuration, or by replacing the binary itself), they can execute arbitrary commands with the permissions of the skill. Avoid using `source` or `eval` with untrusted or potentially manipulable input. If the output is meant to set environment variables, parse it carefully or use a safer mechanism. Ensure the `gstack-repo-mode` binary and its execution environment are fully secured and untamperable.	LLM	SKILL.md:15
CRITICAL	Command Injection via `eval` of external binary output The skill uses `eval "$(~/.claude/skills/gstack/bin/gstack-slug 2>/dev/null)"` multiple times. This executes the output of the `gstack-slug` binary directly in the current shell context. If an attacker can control the output of `gstack-slug`, they can execute arbitrary commands with the permissions of the skill. This is a direct command injection vulnerability. Avoid using `eval` with untrusted or potentially manipulable input. If the output is meant to set variables, parse it carefully using `read` or other safer methods. Ensure the `gstack-slug` binary and its execution environment are fully secured and untamperable.	LLM	SKILL.md:45
HIGH	Dangerous tool allowed: Bash The skill allows the 'Bash' tool without constraints. This grants arbitrary command execution. Remove unconstrained shell/exec tools from allowed-tools, or add specific command constraints.	Static	land-and-deploy/SKILL.md:1
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:7
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:13
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:17
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:21
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:26
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:39
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:40
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:47
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:53
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:59
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:65
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:89
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:91
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:117
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:128
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:129
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:149
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:150
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:199
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:222
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:224
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:230
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:295
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:371
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:415
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:441
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:447
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:448
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:508
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:542
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:695
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:866
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:959
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:1005
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:1276
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	land-and-deploy/SKILL.md:1530
HIGH	Path Traversal / Data Exfiltration via `SLUG` variable The `SLUG` variable is derived from the output of `gstack-slug` via an `eval` command (a critical command injection risk itself). This `SLUG` is then used to construct file paths, e.g., `_LEARN_FILE="${GSTACK_HOME:-$HOME/.gstack}/projects/${SLUG:-unknown}/learnings.jsonl"` and `touch ~/.gstack/.vendoring-warned-${SLUG:-unknown}`. If `SLUG` contains path traversal sequences (e.g., `../`) or other malicious characters, an attacker could manipulate file paths to read, write, or delete arbitrary files outside the intended project directory, leading to data exfiltration or system compromise. Sanitize or validate the `SLUG` variable to ensure it only contains safe characters (e.g., alphanumeric, hyphens) and does not contain path separators or other shell metacharacters before using it in file paths. Alternatively, use a safer method for setting variables than `eval`.	LLM	SKILL.md:46
HIGH	Data Exfiltration / JSON Injection via unescaped `_BRANCH` in JSON string The `_BRANCH` variable, obtained from `git branch --show-current`, is concatenated into a JSON string without proper escaping: `'{"skill":"land-and-deploy","event":"started","branch":"'"$_BRANCH"'","session":"'"$_SESSION_ID"'"}'`. If `_BRANCH` contains double quotes (`"`) or backslashes (`\`), it could break the JSON structure, leading to malformed data being logged. In a more sophisticated attack, this could be used to inject arbitrary JSON fields or potentially manipulate the interpretation of the log entry by downstream systems, leading to data exfiltration or integrity issues if the `gstack-timeline-log` binary is vulnerable to such input. Ensure all variables interpolated into JSON strings are properly JSON-escaped. For shell scripts, this often requires a dedicated function to escape special characters like `"` and `\`.	LLM	SKILL.md:30
HIGH	Path Traversal / Data Exfiltration via `_BRANCH` in file path The `_BRANCH` variable is used to construct a file path: `"$_PROJ/${_BRANCH}-reviews.jsonl"`. If `_BRANCH` contains path traversal sequences (e.g., `../`) or other malicious characters, an attacker could manipulate the path to access or create files outside the intended project directory, potentially leading to data exfiltration or integrity issues. Sanitize or validate the `_BRANCH` variable to ensure it only contains safe characters (e.g., alphanumeric, hyphens) and does not contain path separators or other shell metacharacters before using it in file paths.	LLM	SKILL.md:141
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	land-and-deploy/SKILL.md:48
INFO	Excessive Permissions: Broad Bash and File System Access The skill declares `Bash`, `Read`, and `Write` permissions. While the skill's functionality (e.g., git operations, file management, executing helper binaries) necessitates these, the combination of broad `Bash` execution with `Read` and `Write` access to the filesystem grants significant power. The use of `eval` and `source` (flagged as CRITICAL command injection) further amplifies the risk associated with these broad permissions. Any vulnerability in the skill's logic or its helper binaries could be exploited to perform arbitrary actions on the user's system. Review if all declared permissions are strictly necessary for the skill's core functionality. If possible, narrow the scope of file system access or restrict `Bash` commands to a whitelist. For external binaries, ensure they are sandboxed or have minimal necessary permissions. The primary remediation for this INFO finding is to address the CRITICAL command injection vulnerabilities that leverage these broad permissions.	LLM	Manifest:1

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/951ff8b1a7b075fd.svg)](https://skillshield.io/report/951ff8b1a7b075fd)