Security audit

Gstack Orchestrate

Security checks across malware telemetry and agentic risk

Overview

This is a high-impact developer orchestration skill, but its repository changes, local state, and opt-in remote telemetry are disclosed and fit its stated purpose.

Install only if you trust the surrounding gstack and superpowers skills. Use it on a clean non-base branch, review the task breakdown before approving dispatch, keep telemetry off if repository or branch metadata is sensitive, and inspect the resulting commits before confirming the /ship handoff.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill performs telemetry bootstrapping, local analytics writes, stale-session finalization, and optional remote telemetry transmission even though its manifest and user-facing purpose describe orchestration and shipping plans. This hidden expansion of scope creates an unexpected data-flow side effect: repository metadata, branch names, timestamps, and session identifiers may be logged locally or sent remotely without an explicit runtime consent step.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill contains optional remote telemetry transmission that is not necessary to complete orchestration. Even if gated by a setting, this is a security-relevant capability because it can exfiltrate run metadata off-host through an auxiliary binary outside the core workflow.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The documented voice triggers are very broad phrases like 'execute the plan' and 'orchestrate the plan', which can plausibly occur in normal conversation or dictation. Because this skill performs high-impact orchestration actions involving subagents, git worktrees, cherry-picks, testing, and downstream handoff, accidental invocation raises meaningful risk even if the workflow later asks for confirmation.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The activation phrases include broad natural-language triggers like 'execute the plan' and 'orchestrate the plan', which can cause the skill to activate in ordinary conversation without the user intending to invoke a high-privilege orchestration workflow. In this context, accidental invocation is more dangerous because the skill can spawn agents, create worktrees, modify git state, and initiate telemetry.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The telemetry section describes local analytics files, pending markers, timeline logs, and optional remote telemetry, but there is no clear user-facing warning that this logging occurs as part of orchestration. Lack of transparent disclosure undermines informed consent and can expose repository and session metadata unexpectedly.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal