cso
Conducts comprehensive security audits and threat modeling for infrastructure, focusing on CI/CD and AI security.
Install this skill
Security score
The cso skill was audited on Jun 10, 2026 and we found 90 security issues across 4 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 37 | ```bash |
Template literal with variable interpolation in command context
| 287 | ```bash |
Template literal with variable interpolation in command context
| 422 | ```bash |
Template literal with variable interpolation in command context
| 456 | echo "before relying on \`gbrain search\` for code questions in this worktree." |
Template literal with variable interpolation in command context
| 584 | ```bash |
Webhook reference - potential data exfiltration
| 751 | The real attack surface isn't your code — it's your dependencies. Most teams audit their own app but forget: exposed env vars in CI logs, stale API keys in git history, forgotten staging servers with |
Webhook reference - potential data exfiltration
| 881 | **Code surface:** Use the Grep tool to find endpoints, auth boundaries, external integrations, file upload paths, admin routes, webhook handlers, background jobs, and WebSocket channels. Scope file ex |
Webhook reference - potential data exfiltration
| 908 | Webhook receivers: N |
Webhook reference - potential data exfiltration
| 975 | 2. **Webhooks:** Trace handler code to verify whether signature verification exists anywhere in the middleware chain. Do NOT make HTTP requests. |
Webhook reference - potential data exfiltration
| 1019 | 4 HIGH 9/10 UNVERIFIED Integrations Webhook w/o signature verify P6 api/webhooks.ts:24 |
Webhook reference - potential data exfiltration
| 1150 | "infrastructure": { "ci_workflows": 0, "webhook_receivers": 0, "container_configs": 0, "iac_configs": 0, "deploy_targets": 0, "secret_management": "unknown" } |
Access to hidden dotfiles in home directory
| 38 | _UPD=$(~/.claude/skills/gstack/bin/gstack-update-check 2>/dev/null || .claude/skills/gstack/bin/gstack-update-check 2>/dev/null || true) |
Access to hidden dotfiles in home directory
| 40 | mkdir -p ~/.gstack/sessions |
Access to hidden dotfiles in home directory
| 41 | touch ~/.gstack/sessions/"$PPID" |
Access to hidden dotfiles in home directory
| 42 | _SESSIONS=$(find ~/.gstack/sessions -mmin -120 -type f 2>/dev/null | wc -l | tr -d ' ') |
Access to hidden dotfiles in home directory
| 43 | find ~/.gstack/sessions -mmin +120 -type f -exec rm {} + 2>/dev/null || true |
Access to hidden dotfiles in home directory
| 44 | _PROACTIVE=$(~/.claude/skills/gstack/bin/gstack-config get proactive 2>/dev/null || echo "true") |
Access to hidden dotfiles in home directory
| 45 | _PROACTIVE_PROMPTED=$([ -f ~/.gstack/.proactive-prompted ] && echo "yes" || echo "no") |
Access to hidden dotfiles in home directory
| 48 | _SKILL_PREFIX=$(~/.claude/skills/gstack/bin/gstack-config get skill_prefix 2>/dev/null || echo "false") |
Access to hidden dotfiles in home directory
| 52 | source <(~/.claude/skills/gstack/bin/gstack-repo-mode 2>/dev/null) || true |
Access to hidden dotfiles in home directory
| 55 | _SESSION_KIND=$(~/.claude/skills/gstack/bin/gstack-session-kind 2>/dev/null || echo "interactive") |
Access to hidden dotfiles in home directory
| 58 | _LAKE_SEEN=$([ -f ~/.gstack/.completeness-intro-seen ] && echo "yes" || echo "no") |
Access to hidden dotfiles in home directory
| 60 | _TEL=$(~/.claude/skills/gstack/bin/gstack-config get telemetry 2>/dev/null || true) |
Access to hidden dotfiles in home directory
| 61 | _TEL_PROMPTED=$([ -f ~/.gstack/.telemetry-prompted ] && echo "yes" || echo "no") |
Access to hidden dotfiles in home directory
| 66 | _EXPLAIN_LEVEL=$(~/.claude/skills/gstack/bin/gstack-config get explain_level 2>/dev/null || echo "default") |
Access to hidden dotfiles in home directory
| 69 | _QUESTION_TUNING=$(~/.claude/skills/gstack/bin/gstack-config get question_tuning 2>/dev/null || echo "false") |
Access to hidden dotfiles in home directory
| 71 | mkdir -p ~/.gstack/analytics |
Access to hidden dotfiles in home directory
| 73 | echo '{"skill":"cso","ts":"'$(date -u +%Y-%m-%dT%H:%M:%SZ)'","repo":"'$(_repo=$(basename "$(git rev-parse --show-toplevel 2>/dev/null)" 2>/dev/null | tr -cd 'a-zA-Z0-9._-'); echo "${_repo:-unknown}")' |
Access to hidden dotfiles in home directory
| 75 | for _PF in $(find ~/.gstack/analytics -maxdepth 1 -name '.pending-*' 2>/dev/null); do |
Access to hidden dotfiles in home directory
| 77 | if [ "$_TEL" != "off" ] && [ -x "~/.claude/skills/gstack/bin/gstack-telemetry-log" ]; then |
Access to hidden dotfiles in home directory
| 78 | ~/.claude/skills/gstack/bin/gstack-telemetry-log --event-type skill_run --skill _pending_finalize --outcome unknown --session-id "$_SESSION_ID" 2>/dev/null || true |
Access to hidden dotfiles in home directory
| 84 | eval "$(~/.claude/skills/gstack/bin/gstack-slug 2>/dev/null)" 2>/dev/null || true |
Access to hidden dotfiles in home directory
| 90 | ~/.claude/skills/gstack/bin/gstack-learnings-search --limit 3 2>/dev/null || true |
Access to hidden dotfiles in home directory
| 95 | ~/.claude/skills/gstack/bin/gstack-timeline-log '{"skill":"cso","event":"started","branch":"'"$_BRANCH"'","session":"'"$_SESSION_ID"'"}' 2>/dev/null & |
Access to hidden dotfiles in home directory
| 100 | _ROUTING_DECLINED=$(~/.claude/skills/gstack/bin/gstack-config get routing_declined 2>/dev/null || echo "false") |
Access to hidden dotfiles in home directory
| 111 | _CHECKPOINT_MODE=$(~/.claude/skills/gstack/bin/gstack-config get checkpoint_mode 2>/dev/null || echo "explicit") |
Access to hidden dotfiles in home directory
| 112 | _CHECKPOINT_PUSH=$(~/.claude/skills/gstack/bin/gstack-config get checkpoint_push 2>/dev/null || echo "false") |
Access to hidden dotfiles in home directory
| 133 | In plan mode, allowed because they inform the plan: `$B`, `$D`, `codex exec`/`codex review`, writes to `~/.gstack/`, writes to the plan file, and `open` for generated artifacts. |
Access to hidden dotfiles in home directory
| 141 | If `SKILL_PREFIX` is `"true"`, suggest/invoke `/gstack-*` names. Disk paths stay `~/.claude/skills/gstack/[skill-name]/SKILL.md`. |
Access to hidden dotfiles in home directory
| 143 | If output shows `UPGRADE_AVAILABLE <old> <new>`: read `~/.claude/skills/gstack/gstack-upgrade/SKILL.md` and follow the "Inline upgrade flow" (auto-upgrade if configured, otherwise AskUserQuestion with |
Access to hidden dotfiles in home directory
| 148 | - Missing `~/.claude/skills/gstack/.feature-prompted-continuous-checkpoint`: AskUserQuestion for Continuous checkpoint auto-commits. If accepted, run `~/.claude/skills/gstack/bin/gstack-config set che |
Access to hidden dotfiles in home directory
| 149 | - Missing `~/.claude/skills/gstack/.feature-prompted-model-overlay`: inform "Model overlays are active. MODEL_OVERLAY shows the patch." Always touch marker. |
Access to hidden dotfiles in home directory
| 162 | If B: run `~/.claude/skills/gstack/bin/gstack-config set explain_level terse`. |
Access to hidden dotfiles in home directory
| 166 | rm -f ~/.gstack/.writing-style-prompt-pending |
Access to hidden dotfiles in home directory
| 167 | touch ~/.gstack/.writing-style-prompted |
Access to hidden dotfiles in home directory
| 176 | touch ~/.gstack/.completeness-intro-seen |
Access to hidden dotfiles in home directory
| 189 | If A: run `~/.claude/skills/gstack/bin/gstack-config set telemetry community` |
Access to hidden dotfiles in home directory
| 199 | If B→A: run `~/.claude/skills/gstack/bin/gstack-config set telemetry anonymous` |
Access to hidden dotfiles in home directory
| 200 | If B→B: run `~/.claude/skills/gstack/bin/gstack-config set telemetry off` |
Access to hidden dotfiles in home directory
| 204 | touch ~/.gstack/.telemetry-prompted |
Access to hidden dotfiles in home directory
| 217 | If A: run `~/.claude/skills/gstack/bin/gstack-config set proactive true` |
Access to hidden dotfiles in home directory
| 218 | If B: run `~/.claude/skills/gstack/bin/gstack-config set proactive false` |
Access to hidden dotfiles in home directory
| 222 | touch ~/.gstack/.proactive-prompted |
Access to hidden dotfiles in home directory
| 264 | If B: run `~/.claude/skills/gstack/bin/gstack-config set routing_declined true` and say they can re-enable with `gstack-config set routing_declined false`. |
Access to hidden dotfiles in home directory
| 268 | If `VENDORED_GSTACK` is `yes`, warn once via AskUserQuestion unless `~/.gstack/.vendoring-warned-$SLUG` exists: |
Access to hidden dotfiles in home directory
| 280 | 3. Run `~/.claude/skills/gstack/bin/gstack-team-init required` (or `optional`) |
Access to hidden dotfiles in home directory
| 282 | 5. Tell the user: "Done. Each developer now runs: `cd ~/.claude/skills/gstack && ./setup --team`" |
Access to hidden dotfiles in home directory
| 288 | eval "$(~/.claude/skills/gstack/bin/gstack-slug 2>/dev/null)" 2>/dev/null || true |
Access to hidden dotfiles in home directory
| 289 | touch ~/.gstack/.vendoring-warned-${SLUG:-unknown} |
Access to hidden dotfiles in home directory
| 431 | _BRAIN_SYNC_BIN="~/.claude/skills/gstack/bin/gstack-brain-sync" |
Access to hidden dotfiles in home directory
| 432 | _BRAIN_CONFIG_BIN="~/.claude/skills/gstack/bin/gstack-config" |
Access to hidden dotfiles in home directory
| 536 | If A/B and `~/.gstack/.git` is missing, ask whether to run `gstack-artifacts-init`. Do not block the skill. |
Access to hidden dotfiles in home directory
| 541 | "~/.claude/skills/gstack/bin/gstack-brain-sync" --discover-new 2>/dev/null || true |
Access to hidden dotfiles in home directory
| 542 | "~/.claude/skills/gstack/bin/gstack-brain-sync" --once 2>/dev/null || true |
Access to hidden dotfiles in home directory
| 585 | eval "$(~/.claude/skills/gstack/bin/gstack-slug 2>/dev/null)" |
Access to hidden dotfiles in home directory
| 602 | ~/.claude/skills/gstack/bin/gstack-decision-search --recent 5 2>/dev/null |
Access to hidden dotfiles in home directory
| 611 | **Cross-session decisions.** If `ACTIVE DECISIONS` are listed, treat them as prior settled calls with their rationale — do not silently re-litigate them; if you're about to reverse one, say so explici |
Access to hidden dotfiles in home directory
| 624 | Curated jargon list lives at `~/.claude/skills/gstack/scripts/jargon-list.json` (80+ terms). On the first jargon term you encounter this session, Read that file once; treat the `terms` array as the ca |
Access to hidden dotfiles in home directory
| 670 | Before each AskUserQuestion, choose `question_id` from `scripts/question-registry.ts` or `{skill}-{slug}`, then run `~/.claude/skills/gstack/bin/gstack-question-preference --check "<id>"`. `AUTO_DECID |
Access to hidden dotfiles in home directory
| 678 | ~/.claude/skills/gstack/bin/gstack-question-log '{"skill":"cso","question_id":"<id>","question_summary":"<short>","category":"<approval|clarification|routing|cherry-pick|feedback-loop>","door_type":"< |
Access to hidden dotfiles in home directory
| 687 | ~/.claude/skills/gstack/bin/gstack-question-preference --write '{"question_id":"<id>","preference":"<pref>","source":"inline-user","free_text":"<optional original words>"}' |
Access to hidden dotfiles in home directory
| 707 | ~/.claude/skills/gstack/bin/gstack-learnings-log '{"skill":"SKILL_NAME","type":"operational","key":"SHORT_KEY","insight":"DESCRIPTION","confidence":N,"source":"observed"}' |
Access to hidden dotfiles in home directory
| 717 | `~/.gstack/analytics/`, matching preamble analytics writes. |
Access to hidden dotfiles in home directory
| 724 | rm -f ~/.gstack/analytics/.pending-"$_SESSION_ID" 2>/dev/null || true |
Access to hidden dotfiles in home directory
| 726 | ~/.claude/skills/gstack/bin/gstack-timeline-log '{"skill":"SKILL_NAME","event":"completed","branch":"'$(git branch --show-current 2>/dev/null || echo unknown)'","outcome":"OUTCOME","duration_s":"'"$_T |
Access to hidden dotfiles in home directory
| 729 | echo '{"skill":"SKILL_NAME","duration_s":"'"$_TEL_DUR"'","outcome":"OUTCOME","browse":"USED_BROWSE","session":"'"$_SESSION_ID"'","ts":"'$(date -u +%Y-%m-%dT%H:%M:%SZ)'"}' >> ~/.gstack/analytics/skill- |
Access to hidden dotfiles in home directory
| 732 | if [ "$_TEL" != "off" ] && [ -x ~/.claude/skills/gstack/bin/gstack-telemetry-log ]; then |
Access to hidden dotfiles in home directory
| 733 | ~/.claude/skills/gstack/bin/gstack-telemetry-log \ |
Access to hidden dotfiles in home directory
| 844 | _CROSS_PROJ=$(~/.claude/skills/gstack/bin/gstack-config get cross_project_learnings 2>/dev/null || echo "unset") |
Access to hidden dotfiles in home directory
| 847 | ~/.claude/skills/gstack/bin/gstack-learnings-search --limit 10 --cross-project 2>/dev/null || true |
Access to hidden dotfiles in home directory
| 849 | ~/.claude/skills/gstack/bin/gstack-learnings-search --limit 10 2>/dev/null || true |
Access to hidden dotfiles in home directory
| 864 | If A: run `~/.claude/skills/gstack/bin/gstack-config set cross_project_learnings true` |
Access to hidden dotfiles in home directory
| 865 | If B: run `~/.claude/skills/gstack/bin/gstack-config set cross_project_learnings false` |
Access to hidden dotfiles in home directory
| 915 | > **STOP.** Before running the scope-dependent audit phases (Phases 2-11) selected by the resolved mode, after the Phase 0 stack detection and Phase 1 attack-surface census, Read `~/.claude/skills/gst |
Access to hidden dotfiles in home directory
| 1068 | `~/.gstack-dev/plans/1539-framework-aware-review.md` design doc. |
Access to hidden dotfiles in home directory
| 1199 | ~/.claude/skills/gstack/bin/gstack-learnings-log '{"skill":"cso","type":"TYPE","key":"SHORT_KEY","insight":"DESCRIPTION","confidence":N,"source":"SOURCE","files":["path/to/relevant/file"]}' |
Access to .env file
| 889 | ls .env .env.* 2>/dev/null |
Access to .env file
| 1016 | 1 CRIT 9/10 VERIFIED Secrets AWS key in git history P2 .env:3 |
External URL reference
| 172 | If `LAKE_INTRO` is `no`: say "gstack follows the **Boil the Ocean** principle — do the complete thing when AI makes marginal cost near-zero. Read more: https://garryslist.org/posts/boil-the-ocean" Off |
External URL reference
| 175 | open https://garryslist.org/posts/boil-the-ocean |