plan-eng-review

Eng manager-mode plan review. Lock in the execution plan — architecture, data flow, diagrams, edge cases, test coverage, performance. Walks through issues inter

67/100

Security score

The plan-eng-review skill was audited on Mar 16, 2026 and we found 17 security issues across 2 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

low line 22

Command substitution pattern

SourceSKILL.md

20
21	```bash
22	_UPD=$(~/.claude/skills/gstack/bin/gstack-update-check 2>/dev/null \|\| .claude/skills/gstack/bin/gstack-update-check 2>/dev/null \|\| true)
23	[ -n "$_UPD" ] && echo "$_UPD" \|\| true
24	mkdir -p ~/.gstack/sessions

low line 26

Command substitution pattern

SourceSKILL.md

24	mkdir -p ~/.gstack/sessions
25	touch ~/.gstack/sessions/"$PPID"
26	_SESSIONS=$(find ~/.gstack/sessions -mmin -120 -type f 2>/dev/null \| wc -l \| tr -d ' ')
27	find ~/.gstack/sessions -mmin +120 -type f -delete 2>/dev/null \|\| true
28	_CONTRIB=$(~/.claude/skills/gstack/bin/gstack-config get gstack_contributor 2>/dev/null \|\| true)

low line 28

Command substitution pattern

SourceSKILL.md

26	_SESSIONS=$(find ~/.gstack/sessions -mmin -120 -type f 2>/dev/null \| wc -l \| tr -d ' ')
27	find ~/.gstack/sessions -mmin +120 -type f -delete 2>/dev/null \|\| true
28	_CONTRIB=$(~/.claude/skills/gstack/bin/gstack-config get gstack_contributor 2>/dev/null \|\| true)
29	```
30

low line 149

Command substitution pattern

SourceSKILL.md

147
148	```bash
149	SLUG=$(git remote get-url origin 2>/dev/null \| sed 's\|.[:/]\([^/]/[^/]\)\.git$\|\1\|;s\|.[:/]\([^/]/[^/]\)$\|\1\|' \| tr '/' '-')
150	BRANCH=$(git rev-parse --abbrev-ref HEAD)
151	USER=$(whoami)

low line 150

Command substitution pattern

SourceSKILL.md

148	```bash
149	SLUG=$(git remote get-url origin 2>/dev/null \| sed 's\|.[:/]\([^/]/[^/]\)\.git$\|\1\|;s\|.[:/]\([^/]/[^/]\)$\|\1\|' \| tr '/' '-')
150	BRANCH=$(git rev-parse --abbrev-ref HEAD)
151	USER=$(whoami)
152	DATETIME=$(date +%Y%m%d-%H%M%S)

low line 152

Command substitution pattern

SourceSKILL.md

150	BRANCH=$(git rev-parse --abbrev-ref HEAD)
151	USER=$(whoami)
152	DATETIME=$(date +%Y%m%d-%H%M%S)
153	mkdir -p ~/.gstack/projects/$SLUG
154	```

low line 22

Access to home directory dotfiles

SourceSKILL.md

20
21	```bash
22	_UPD=$(~/.claude/skills/gstack/bin/gstack-update-check 2>/dev/null \|\| .claude/skills/gstack/bin/gstack-update-check 2>/dev/null \|\| true)
23	[ -n "$_UPD" ] && echo "$_UPD" \|\| true
24	mkdir -p ~/.gstack/sessions

low line 24

Access to home directory dotfiles

SourceSKILL.md

22	_UPD=$(~/.claude/skills/gstack/bin/gstack-update-check 2>/dev/null \|\| .claude/skills/gstack/bin/gstack-update-check 2>/dev/null \|\| true)
23	[ -n "$_UPD" ] && echo "$_UPD" \|\| true
24	mkdir -p ~/.gstack/sessions
25	touch ~/.gstack/sessions/"$PPID"
26	_SESSIONS=$(find ~/.gstack/sessions -mmin -120 -type f 2>/dev/null \| wc -l \| tr -d ' ')

low line 25

Access to home directory dotfiles

SourceSKILL.md

23	[ -n "$_UPD" ] && echo "$_UPD" \|\| true
24	mkdir -p ~/.gstack/sessions
25	touch ~/.gstack/sessions/"$PPID"
26	_SESSIONS=$(find ~/.gstack/sessions -mmin -120 -type f 2>/dev/null \| wc -l \| tr -d ' ')
27	find ~/.gstack/sessions -mmin +120 -type f -delete 2>/dev/null \|\| true

low line 26

Access to home directory dotfiles

SourceSKILL.md

24	mkdir -p ~/.gstack/sessions
25	touch ~/.gstack/sessions/"$PPID"
26	_SESSIONS=$(find ~/.gstack/sessions -mmin -120 -type f 2>/dev/null \| wc -l \| tr -d ' ')
27	find ~/.gstack/sessions -mmin +120 -type f -delete 2>/dev/null \|\| true
28	_CONTRIB=$(~/.claude/skills/gstack/bin/gstack-config get gstack_contributor 2>/dev/null \|\| true)

low line 27

Access to home directory dotfiles

SourceSKILL.md

25	touch ~/.gstack/sessions/"$PPID"
26	_SESSIONS=$(find ~/.gstack/sessions -mmin -120 -type f 2>/dev/null \| wc -l \| tr -d ' ')
27	find ~/.gstack/sessions -mmin +120 -type f -delete 2>/dev/null \|\| true
28	_CONTRIB=$(~/.claude/skills/gstack/bin/gstack-config get gstack_contributor 2>/dev/null \|\| true)
29	```

low line 28

Access to home directory dotfiles

SourceSKILL.md

26	_SESSIONS=$(find ~/.gstack/sessions -mmin -120 -type f 2>/dev/null \| wc -l \| tr -d ' ')
27	find ~/.gstack/sessions -mmin +120 -type f -delete 2>/dev/null \|\| true
28	_CONTRIB=$(~/.claude/skills/gstack/bin/gstack-config get gstack_contributor 2>/dev/null \|\| true)
29	```
30

medium line 31

Access to home directory dotfiles

SourceSKILL.md

29	```
30
31	If output shows `UPGRADE_AVAILABLE <old> <new>`: read `~/.claude/skills/gstack/gstack-upgrade/SKILL.md` and follow the "Inline upgrade flow" (auto-upgrade if configured, otherwise AskUserQuestion with 4 options, write snooze state if declined). If `JUST_UPGRADED <from> <to>`: tell user "Running gstack v{to} (just updated!)" and continue.
32
33	## AskUserQuestion Format

medium line 52

Access to home directory dotfiles

SourceSKILL.md

50	NOT gstack issues: user's app bugs, network errors to user's URL, auth failures on user's site.
51
52	To file: write `~/.gstack/contributor-logs/{slug}.md` with this structure:
53
54	```

medium line 72

Access to home directory dotfiles

SourceSKILL.md

70	```
71
72	Then run: `mkdir -p ~/.gstack/contributor-logs && open ~/.gstack/contributor-logs/{slug}.md`
73
74	Slug: lowercase, hyphens, max 60 chars (e.g. `browse-snapshot-ref-gap`). Skip if file already exists. Max 3 reports per session. File inline and continue — don't stop the workflow. Tell user: "Filed gstack field report: {title}"

low line 153

Access to home directory dotfiles

SourceSKILL.md

151	USER=$(whoami)
152	DATETIME=$(date +%Y%m%d-%H%M%S)
153	mkdir -p ~/.gstack/projects/$SLUG
154	```
155

medium line 156

Access to home directory dotfiles

SourceSKILL.md

154	```
155
156	Write to `~/.gstack/projects/{slug}/{user}-{branch}-test-plan-{datetime}.md`:
157
158	```markdown

Scanned on Mar 16, 2026

View Security Dashboard