Back to skill

Security audit

gstack Retro

Security checks across malware telemetry and agentic risk

Overview

This is a local git retrospective skill whose contributor analysis and saved history are disclosed and aligned with its stated purpose, though users should treat the stored people-focused metrics as sensitive.

Install only if you are comfortable with a local tool reading git history, naming contributors, generating people-focused feedback, and saving retro snapshots in memory/. Do not use the generated growth or performance-style sections as formal evaluation without team consent, and periodically review or delete saved retro JSON files if they contain sensitive team information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill explicitly persists detailed retrospective history to `memory/`, including metrics, authors, streaks, and a summary, without any user consent, retention limit, or privacy notice. Because the skill analyzes named contributors and behavioral patterns over time, this creates a durable store of potentially sensitive workplace profiling data that could be exposed to later runs, other skills, or unauthorized readers of the workspace.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.