Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gstack

v1.0.0

Fast headless browser for QA testing and site dogfooding. Navigate any URL, interact with elements, verify page state, diff before/after actions, take annota...

⭐ 3· 1.4k·18 current·21 all-time

byOVYED Deno@ovyeddeno

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The name/description (headless browser for QA/dogfooding) aligns with the included CLI/server/browser code, ref system, snapshot/diff, and cookie-import features. However the skill's manifest declares no required binaries or env vars even though the README and SKILL.md expect Git, Bun, Playwright/Chromium, and optional ANTHROPIC_API_KEY for tests. The missing declared requirements is a documentation mismatch (not necessarily malicious) that users should be aware of.

Instruction Scope

The SKILL.md preamble executes a local update-check script from ~/.claude/skills/gstack/bin/gstack-update-check, touches and prunes files in ~/.gstack/sessions, reads the current git branch, and instructs a one-time build that may curl-install bun (network download). The skill also documents cookie-import behavior that reads Chromium cookie DBs and triggers OS Keychain prompts to decrypt cookies. Those actions are coherent for a browser tool, but they operate on sensitive local data (browser profiles, Keychain) and run code from the skill directory — which could be modified if the skill is a symlink to a working tree. The instructions also allow auto-upgrade and auto-install flows that fetch code from the network.

Install Mechanism

There is no formal install spec in the registry entry despite a substantial codebase and an expected build step. SKILL.md directs running a ./setup and will curl https://bun.sh/install if bun is missing (a remote installer). The skill also supports upgrade checks (GitHub releases per changelog) and an auto-upgrade mode. Network-based installs and self-update flows are normal for CLI tools but increase risk because they fetch and run remote code; the registry metadata does not surface or gate this behavior.

ℹ

Credentials

The skill declares no required env vars or credentials (primaryEnv none), which is reasonable for a local browser tool. However docs/tests reference optional env usage (ANTHROPIC_API_KEY for evals, GSTACK_AUTO_UPGRADE/GSTACK_AUTO_UPGRADE=1 to enable silent upgrades). The cookie-import feature requires access to local browser files and will prompt the OS Keychain — those are legitimate for cookie import but sensitive and should be disclosed to users.

Persistence & Privilege

always:false (good) and autonomous invocation is allowed (default). The skill creates and uses state in ~/.gstack and .gstack/ in project roots, writes logs and contributor reports, and spawns a long-lived local daemon (persistent Chromium) that auto-starts and auto-stops after idle time. A notable risk: in dev mode the repo can be symlinked into ~/.claude/skills/gstack so changes in the working tree take effect immediately — meaning project code can alter the skill behavior at runtime. Combined with the auto-upgrade and network install behaviors, this increases the attack surface if the source is untrusted.

What to consider before installing

What to check before installing/using gstack: - Trust the source: this skill runs local binaries, reads browser profile files, and can invoke system Keychain dialogs to decrypt cookies. Only install if you trust the repository and its owner. - Review local scripts before running them: SKILL.md's preamble calls ~/.claude/skills/gstack/bin/gstack-update-check and the project’s ./setup; inspect those scripts (and bin/gstack-update-check) before running to understand network calls and actions they take. - Prefer manual setup: avoid enabling auto-upgrade. If you must, read the upgrade flow and consider keeping auto_upgrade disabled so upgrades require your explicit approval. - Be cautious with dev symlinks: do not symlink an unreviewed project into ~/.claude/skills/gstack (dev mode) — that makes the agent execute whatever code is in your working tree. - Network installs: the setup may curl https://bun.sh/install. If you prefer, install Bun and other dependencies yourself from official sources before running ./setup. - Sensitive data: cookie-import touches local browser cookie DBs and triggers Keychain access; if you do not want the skill to see cookies or Keychain data, do not run cookie-import and avoid enabling contributor/auto features that access them. - Optional credentials: tests/docs refer to ANTHROPIC_API_KEY and other optional vars; these are not required for normal browse/qa use but are needed for optional eval/test flows—do not provide API keys unless you know why they're needed. - If unsure, run in isolation: use a VM/container or a disposable account/workspace to try gstack first, and audit the files it writes to ~/.gstack and ~/.claude/skills/gstack. Summary recommendation: the tool appears to do what it claims, but because it performs privileged local actions, can self-update, and may execute code from a symlinked working tree, treat it as high-trust software: inspect the update/install scripts, disable automatic upgrades, and avoid symlinking untrusted repos into the skill directory.

✗

browse/test/commands.test.ts:621

Shell command execution detected (child_process).

✗

scripts/dev-skill.ts:24

Shell command execution detected (child_process).

✗

scripts/skill-check.ts:101

Shell command execution detected (child_process).

✗

test/helpers/eval-store.ts:523

Shell command execution detected (child_process).

✗

test/skill-e2e.test.ts:127

Shell command execution detected (child_process).

✗

browse/src/cli.ts:20

Environment variable access combined with network send.

✗

browse/src/server.ts:34

Environment variable access combined with network send.

✗

browse/test/gstack-update-check.test.ts:22

Environment variable access combined with network send.

✗

test/skill-e2e.test.ts:21

Environment variable access combined with network send.

browse/src/cli.ts:63