vibe-coding-skills-installer
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill appears to be a legitimate installer, but it can run unpinned third-party install code and persistently change agent skills for you or a team.
Install only if you trust the upstream repositories and want them changing your agent environment. Prefer project scope first, avoid team/global auto-update modes until reviewed, and inspect the full script plus upstream commits before running because the provided script view is truncated.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A later upstream change or compromise could install different code than what was reviewed here.
The installer pulls current remote package/repository contents without pins, checksums, or integrity verification before adding them to the user's agent environment.
npm install -g @fission-ai/openspec@latest; git clone --single-branch --depth 1 "$GSTACK_REPO" "$gstack_dir"
Pin npm versions and git commits/tags, show exact resolved sources before installation, and require explicit approval for unpinned updates.
A downloaded or pre-existing setup script could run arbitrary local commands, not merely copy skill files.
After cloning or updating gstack, the script executes the repository's setup program with the user's local permissions.
(cd "$gstack_dir" && ./setup --host "$host_flag")
Display and confirm the exact setup script before running it, verify the repository origin and commit, and consider sandboxing or a dry-run mode.
A bad install choice or bad upstream update could affect future agent sessions and collaborators, not just the current task.
Project and team-mode installs can propagate persistent agent instructions through a repository or team setup, but the artifacts do not clearly show changed files, rollback steps, or containment limits.
Project-level ... The skill travels with the repo and is available to all contributors. ... Global + team mode — Global install + configure the current project for team auto-updates
Require an explicit team-mode confirmation, list all files/configuration changes, avoid auto-updates by default, and provide an uninstall/rollback procedure.