setup-browser-cookies
Import cookies from your real browser (Comet, Chrome, Arc, Brave, Edge) into the headless browse session. Opens an interactive picker UI where you select which
9/100
Security score
The setup-browser-cookies skill was audited on Mar 16, 2026 and we found 17 security issues across 4 threat categories, including 2 critical. Review the findings below before installing.
Categories Tested
Security Issues
critical line 105
Piping content to bash shell
SourceSKILL.md
| 103 | 1. Tell the user: "gstack browse needs a one-time build (~10 seconds). OK to proceed?" Then STOP and wait. |
| 104 | 2. Run: `cd <SKILL_DIR> && ./setup` |
| 105 | 3. If `bun` is not installed: `curl -fsSL https://bun.sh/install | bash` |
| 106 | |
| 107 | ### 2. Open the cookie picker |
low line 19
Command substitution pattern
SourceSKILL.md
| 17 | |
| 18 | ```bash |
| 19 | _UPD=$(~/.claude/skills/gstack/bin/gstack-update-check 2>/dev/null || .claude/skills/gstack/bin/gstack-update-check 2>/dev/null || true) |
| 20 | [ -n "$_UPD" ] && echo "$_UPD" || true |
| 21 | mkdir -p ~/.gstack/sessions |
low line 23
Command substitution pattern
SourceSKILL.md
| 21 | mkdir -p ~/.gstack/sessions |
| 22 | touch ~/.gstack/sessions/"$PPID" |
| 23 | _SESSIONS=$(find ~/.gstack/sessions -mmin -120 -type f 2>/dev/null | wc -l | tr -d ' ') |
| 24 | find ~/.gstack/sessions -mmin +120 -type f -delete 2>/dev/null || true |
| 25 | _CONTRIB=$(~/.claude/skills/gstack/bin/gstack-config get gstack_contributor 2>/dev/null || true) |
low line 25
Command substitution pattern
SourceSKILL.md
| 23 | _SESSIONS=$(find ~/.gstack/sessions -mmin -120 -type f 2>/dev/null | wc -l | tr -d ' ') |
| 24 | find ~/.gstack/sessions -mmin +120 -type f -delete 2>/dev/null || true |
| 25 | _CONTRIB=$(~/.claude/skills/gstack/bin/gstack-config get gstack_contributor 2>/dev/null || true) |
| 26 | ``` |
| 27 |
low line 91
Command substitution pattern
SourceSKILL.md
| 89 | |
| 90 | ```bash |
| 91 | _ROOT=$(git rev-parse --show-toplevel 2>/dev/null) |
| 92 | B="" |
| 93 | [ -n "$_ROOT" ] && [ -x "$_ROOT/.claude/skills/gstack/browse/dist/browse" ] && B="$_ROOT/.claude/skills/gstack/browse/dist/browse" |
high line 105
Curl to non-GitHub URL
SourceSKILL.md
| 103 | 1. Tell the user: "gstack browse needs a one-time build (~10 seconds). OK to proceed?" Then STOP and wait. |
| 104 | 2. Run: `cd <SKILL_DIR> && ./setup` |
| 105 | 3. If `bun` is not installed: `curl -fsSL https://bun.sh/install | bash` |
| 106 | |
| 107 | ### 2. Open the cookie picker |
low line 19
Access to home directory dotfiles
SourceSKILL.md
| 17 | |
| 18 | ```bash |
| 19 | _UPD=$(~/.claude/skills/gstack/bin/gstack-update-check 2>/dev/null || .claude/skills/gstack/bin/gstack-update-check 2>/dev/null || true) |
| 20 | [ -n "$_UPD" ] && echo "$_UPD" || true |
| 21 | mkdir -p ~/.gstack/sessions |
low line 21
Access to home directory dotfiles
SourceSKILL.md
| 19 | _UPD=$(~/.claude/skills/gstack/bin/gstack-update-check 2>/dev/null || .claude/skills/gstack/bin/gstack-update-check 2>/dev/null || true) |
| 20 | [ -n "$_UPD" ] && echo "$_UPD" || true |
| 21 | mkdir -p ~/.gstack/sessions |
| 22 | touch ~/.gstack/sessions/"$PPID" |
| 23 | _SESSIONS=$(find ~/.gstack/sessions -mmin -120 -type f 2>/dev/null | wc -l | tr -d ' ') |
low line 22
Access to home directory dotfiles
SourceSKILL.md
| 20 | [ -n "$_UPD" ] && echo "$_UPD" || true |
| 21 | mkdir -p ~/.gstack/sessions |
| 22 | touch ~/.gstack/sessions/"$PPID" |
| 23 | _SESSIONS=$(find ~/.gstack/sessions -mmin -120 -type f 2>/dev/null | wc -l | tr -d ' ') |
| 24 | find ~/.gstack/sessions -mmin +120 -type f -delete 2>/dev/null || true |
low line 23
Access to home directory dotfiles
SourceSKILL.md
| 21 | mkdir -p ~/.gstack/sessions |
| 22 | touch ~/.gstack/sessions/"$PPID" |
| 23 | _SESSIONS=$(find ~/.gstack/sessions -mmin -120 -type f 2>/dev/null | wc -l | tr -d ' ') |
| 24 | find ~/.gstack/sessions -mmin +120 -type f -delete 2>/dev/null || true |
| 25 | _CONTRIB=$(~/.claude/skills/gstack/bin/gstack-config get gstack_contributor 2>/dev/null || true) |
low line 24
Access to home directory dotfiles
SourceSKILL.md
| 22 | touch ~/.gstack/sessions/"$PPID" |
| 23 | _SESSIONS=$(find ~/.gstack/sessions -mmin -120 -type f 2>/dev/null | wc -l | tr -d ' ') |
| 24 | find ~/.gstack/sessions -mmin +120 -type f -delete 2>/dev/null || true |
| 25 | _CONTRIB=$(~/.claude/skills/gstack/bin/gstack-config get gstack_contributor 2>/dev/null || true) |
| 26 | ``` |
low line 25
Access to home directory dotfiles
SourceSKILL.md
| 23 | _SESSIONS=$(find ~/.gstack/sessions -mmin -120 -type f 2>/dev/null | wc -l | tr -d ' ') |
| 24 | find ~/.gstack/sessions -mmin +120 -type f -delete 2>/dev/null || true |
| 25 | _CONTRIB=$(~/.claude/skills/gstack/bin/gstack-config get gstack_contributor 2>/dev/null || true) |
| 26 | ``` |
| 27 |
medium line 28
Access to home directory dotfiles
SourceSKILL.md
| 26 | ``` |
| 27 | |
| 28 | If output shows `UPGRADE_AVAILABLE <old> <new>`: read `~/.claude/skills/gstack/gstack-upgrade/SKILL.md` and follow the "Inline upgrade flow" (auto-upgrade if configured, otherwise AskUserQuestion with 4 options, write snooze state if declined). If `JUST_UPGRADED <from> <to>`: tell user "Running gstack v{to} (just updated!)" and continue. |
| 29 | |
| 30 | ## AskUserQuestion Format |
medium line 49
Access to home directory dotfiles
SourceSKILL.md
| 47 | **NOT gstack issues:** user's app bugs, network errors to user's URL, auth failures on user's site. |
| 48 | |
| 49 | **To file:** write `~/.gstack/contributor-logs/{slug}.md` with this structure: |
| 50 | |
| 51 | ``` |
medium line 69
Access to home directory dotfiles
SourceSKILL.md
| 67 | ``` |
| 68 | |
| 69 | Then run: `mkdir -p ~/.gstack/contributor-logs && open ~/.gstack/contributor-logs/{slug}.md` |
| 70 | |
| 71 | Slug: lowercase, hyphens, max 60 chars (e.g. `browse-snapshot-ref-gap`). Skip if file already exists. Max 3 reports per session. File inline and continue — don't stop the workflow. Tell user: "Filed gstack field report: {title}" |
low line 94
Access to home directory dotfiles
SourceSKILL.md
| 92 | B="" |
| 93 | [ -n "$_ROOT" ] && [ -x "$_ROOT/.claude/skills/gstack/browse/dist/browse" ] && B="$_ROOT/.claude/skills/gstack/browse/dist/browse" |
| 94 | [ -z "$B" ] && B=~/.claude/skills/gstack/browse/dist/browse |
| 95 | if [ -x "$B" ]; then |
| 96 | echo "READY: $B" |
critical line 105
Curl pipe to interpreter
SourceSKILL.md
| 103 | 1. Tell the user: "gstack browse needs a one-time build (~10 seconds). OK to proceed?" Then STOP and wait. |
| 104 | 2. Run: `cd <SKILL_DIR> && ./setup` |
| 105 | 3. If `bun` is not installed: `curl -fsSL https://bun.sh/install | bash` |
| 106 | |
| 107 | ### 2. Open the cookie picker |
Scanned on Mar 16, 2026
View Security Dashboard