Security Audit

garrytan/gstack:pair-agent

github.com/garrytan/gstack

AI SkillCommit dbd7aee5b6b5

CRITICAL

Scanned 18 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

garrytan/gstack:pair-agent received a trust score of 0/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 70 findings: 33 critical, 34 high, 2 medium, and 1 low severity. Key findings include File read + network send exfiltration, Dangerous tool allowed: Bash, Sensitive environment variable access: $HOME.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on April 9, 2026 (commit dbd7aee5). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

Static Code Analysis

Dependency Graph

100%

LLM Behavioral Safety

Behavioral Risk Signals

Network Access

30 findings

Filesystem Write

64 findings

Shell Execution

37 findings

Dynamic Code

5 findings

Excessive Permissions

61 findings

Security Findings70

Severity	Finding	Layer	Location
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	pair-agent/SKILL.md:7
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	pair-agent/SKILL.md:13
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	pair-agent/SKILL.md:17
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	pair-agent/SKILL.md:21
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	pair-agent/SKILL.md:26
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	pair-agent/SKILL.md:39
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	pair-agent/SKILL.md:40
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	pair-agent/SKILL.md:47
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	pair-agent/SKILL.md:53
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	pair-agent/SKILL.md:59
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	pair-agent/SKILL.md:65
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	pair-agent/SKILL.md:89
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	pair-agent/SKILL.md:91
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	pair-agent/SKILL.md:117
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	pair-agent/SKILL.md:128
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	pair-agent/SKILL.md:129
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	pair-agent/SKILL.md:149
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	pair-agent/SKILL.md:150
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	pair-agent/SKILL.md:199
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	pair-agent/SKILL.md:222
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	pair-agent/SKILL.md:224
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	pair-agent/SKILL.md:230
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	pair-agent/SKILL.md:295
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	pair-agent/SKILL.md:371
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	pair-agent/SKILL.md:415
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	pair-agent/SKILL.md:441
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	pair-agent/SKILL.md:447
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	pair-agent/SKILL.md:448
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	pair-agent/SKILL.md:508
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	pair-agent/SKILL.md:565
CRITICAL	Direct Command Injection via 'eval' The skill uses `eval` to execute the output of the `gstack-slug` binary. If the output of `gstack-slug` can be controlled by an attacker (e.g., through a malicious project name or git configuration), it can lead to arbitrary command execution on the host system. This is a direct and severe command injection vulnerability. Avoid using `eval` with untrusted or potentially manipulable input. If the intent is to set variables, parse the output of `gstack-slug` more safely (e.g., using `read` with strict validation) or have `gstack-slug` write to a temporary file that is then read by the script. Ensure `gstack-slug` itself sanitizes any user-controlled input.	LLM	SKILL.md:49
CRITICAL	Direct Command Injection via 'eval' (Context Recovery) The skill uses `eval` to execute the output of the `gstack-slug` binary during context recovery. This is a repeated instance of the direct command injection vulnerability. If the output of `gstack-slug` can be controlled by an attacker, it can lead to arbitrary command execution on the host system. Avoid using `eval` with untrusted or potentially manipulable input. If the intent is to set variables, parse the output of `gstack-slug` more safely (e.g., using `read` with strict validation) or have `gstack-slug` write to a temporary file that is then read by the script. Ensure `gstack-slug` itself sanitizes any user-controlled input.	LLM	SKILL.md:107
CRITICAL	Direct Command Injection via 'source' The skill uses `source` to execute the output of the `gstack-repo-mode` binary. Similar to `eval`, if the output of `gstack-repo-mode` can be controlled by an attacker, it can lead to arbitrary command execution on the host system. This is a direct and severe command injection vulnerability. Avoid using `source` with untrusted or potentially manipulable input. If the intent is to set environment variables, consider alternative, safer methods like parsing the output line by line and setting variables explicitly, or having `gstack-repo-mode` write to a temporary file that is then read.	LLM	SKILL.md:30
HIGH	Dangerous tool allowed: Bash The skill allows the 'Bash' tool without constraints. This grants arbitrary command execution. Remove unconstrained shell/exec tools from allowed-tools, or add specific command constraints.	Static	pair-agent/SKILL.md:1
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	pair-agent/SKILL.md:7
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	pair-agent/SKILL.md:13
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	pair-agent/SKILL.md:17
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	pair-agent/SKILL.md:21
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	pair-agent/SKILL.md:26
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	pair-agent/SKILL.md:39
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	pair-agent/SKILL.md:40
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	pair-agent/SKILL.md:47
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	pair-agent/SKILL.md:53
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	pair-agent/SKILL.md:59
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	pair-agent/SKILL.md:65
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	pair-agent/SKILL.md:89
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	pair-agent/SKILL.md:91
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	pair-agent/SKILL.md:117
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	pair-agent/SKILL.md:128
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	pair-agent/SKILL.md:129
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	pair-agent/SKILL.md:149
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	pair-agent/SKILL.md:150
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	pair-agent/SKILL.md:199
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	pair-agent/SKILL.md:222
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	pair-agent/SKILL.md:224
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	pair-agent/SKILL.md:230
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	pair-agent/SKILL.md:295
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	pair-agent/SKILL.md:371
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	pair-agent/SKILL.md:415
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	pair-agent/SKILL.md:441
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	pair-agent/SKILL.md:447
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	pair-agent/SKILL.md:448
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	pair-agent/SKILL.md:508
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	pair-agent/SKILL.md:565
HIGH	Data Exfiltration via Path Traversal in 'wc -l' The `_LEARN_FILE` variable is constructed using `${SLUG:-unknown}`. Since `SLUG` is derived from the output of `gstack-slug` (which is executed via `eval`), an attacker could inject path traversal sequences (e.g., `../../../../etc`) into `SLUG`. This would cause `_LEARN_FILE` to point to an arbitrary file outside the intended directory. The content of this arbitrary file (specifically, its line count) would then be exfiltrated via `wc -l < "$_LEARN_FILE"`. Sanitize the `SLUG` variable to prevent path traversal characters (e.g., `../`). Ensure that any paths constructed from user-controlled or dynamically generated input are validated or resolved to canonical paths before use. For example, use `realpath` or explicitly filter out dangerous characters.	LLM	SKILL.md:53
HIGH	Data Exfiltration via Path Traversal in 'wc -l' (Reviews) The path `"$_PROJ/${_BRANCH}-reviews.jsonl"` is used with `wc -l`. Both `_PROJ` (derived from `SLUG`) and `_BRANCH` (derived from `git branch --show-current`) could potentially contain path traversal sequences (e.g., `../../../../etc`). If an attacker can manipulate `SLUG` or the current branch name, this could lead to `wc -l` reading the line count of an arbitrary file and exfiltrating this information. Sanitize `SLUG` and `_BRANCH` variables to prevent path traversal characters (e.g., `../`). Ensure that any paths constructed from user-controlled or dynamically generated input are validated or resolved to canonical paths before use. For example, use `realpath` or explicitly filter out dangerous characters.	LLM	SKILL.md:113
HIGH	Data Exfiltration via Path Traversal in 'tail' The path `"$_PROJ/timeline.jsonl"` is used with `tail -5`. Since `_PROJ` is derived from `SLUG` (which is vulnerable to injection), an attacker could inject path traversal sequences (e.g., `../../../../etc`) into `SLUG`. This would cause `tail` to read the last 5 lines of an arbitrary file outside the intended directory, leading to data exfiltration. Sanitize the `SLUG` variable to prevent path traversal characters (e.g., `../`). Ensure that any paths constructed from user-controlled or dynamically generated input are validated or resolved to canonical paths before use. For example, use `realpath` or explicitly filter out dangerous characters.	LLM	SKILL.md:115
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	pair-agent/SKILL.md:48
MEDIUM	Data Exfiltration via Path Traversal in 'find' and 'grep' The `_PROJ` variable (derived from `SLUG`) and `_BRANCH` variable (derived from `git branch --show-current`) are used in `find` and `grep` commands to locate and filter files. If `SLUG` or `_BRANCH` contain path traversal sequences (e.g., `../../`), an attacker could direct `find` to list files in arbitrary directories or `grep` to read and filter content from arbitrary files, potentially revealing sensitive file paths or partial file contents. Sanitize `SLUG` and `_BRANCH` variables to prevent path traversal characters (e.g., `../`). Ensure that any paths constructed from user-controlled or dynamically generated input are validated or resolved to canonical paths before use. For example, use `realpath` or explicitly filter out dangerous characters.	LLM	SKILL.md:111
LOW	Log Poisoning via Unsanitized Branch Name in JSON Log The `_BRANCH` variable, derived from `git branch --show-current`, is directly embedded into a JSON string that is passed to `gstack-timeline-log`. If a malicious actor can create a branch name containing double quotes (`"`) or backslashes (`\`), it could lead to malformed JSON being logged. This could disrupt log parsing, cause data integrity issues, or potentially be used for log poisoning attacks if the logs are consumed by other systems. Ensure that `_BRANCH` (and any other variables embedded into JSON strings) is properly escaped to prevent JSON injection. This typically involves escaping double quotes and backslashes. A dedicated JSON escaping function should be used before embedding the variable.	LLM	SKILL.md:67

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/1866e0a82e6b2443.svg)](https://skillshield.io/report/1866e0a82e6b2443)