setup-gbrain
Facilitates the setup of gbrain for coding agents, enabling seamless integration and operation of local PGLite or Supabase brains.
Install this skill
Security score
The setup-gbrain skill was audited on May 12, 2026 and we found 126 security issues across 5 threat categories, including 1 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 31 | ```bash |
Template literal with variable interpolation in command context
| 264 | ```bash |
Template literal with variable interpolation in command context
| 360 | ```bash |
Template literal with variable interpolation in command context
| 394 | echo "before relying on \`gbrain search\` for code questions in this worktree." |
Template literal with variable interpolation in command context
| 522 | ```bash |
Template literal with variable interpolation in command context
| 1198 | ```bash |
Template literal with variable interpolation in command context
| 1228 | ```bash |
Ngrok tunnel reference
| 993 | For users whose brain runs on another machine (Tailscale, ngrok, internal |
Access to hidden dotfiles in home directory
| 32 | _UPD=$(~/.claude/skills/gstack/bin/gstack-update-check 2>/dev/null || .claude/skills/gstack/bin/gstack-update-check 2>/dev/null || true) |
Access to hidden dotfiles in home directory
| 34 | mkdir -p ~/.gstack/sessions |
Access to hidden dotfiles in home directory
| 35 | touch ~/.gstack/sessions/"$PPID" |
Access to hidden dotfiles in home directory
| 36 | _SESSIONS=$(find ~/.gstack/sessions -mmin -120 -type f 2>/dev/null | wc -l | tr -d ' ') |
Access to hidden dotfiles in home directory
| 37 | find ~/.gstack/sessions -mmin +120 -type f -exec rm {} + 2>/dev/null || true |
Access to hidden dotfiles in home directory
| 38 | _PROACTIVE=$(~/.claude/skills/gstack/bin/gstack-config get proactive 2>/dev/null || echo "true") |
Access to hidden dotfiles in home directory
| 39 | _PROACTIVE_PROMPTED=$([ -f ~/.gstack/.proactive-prompted ] && echo "yes" || echo "no") |
Access to hidden dotfiles in home directory
| 42 | _SKILL_PREFIX=$(~/.claude/skills/gstack/bin/gstack-config get skill_prefix 2>/dev/null || echo "false") |
Access to hidden dotfiles in home directory
| 46 | source <(~/.claude/skills/gstack/bin/gstack-repo-mode 2>/dev/null) || true |
Access to hidden dotfiles in home directory
| 49 | _LAKE_SEEN=$([ -f ~/.gstack/.completeness-intro-seen ] && echo "yes" || echo "no") |
Access to hidden dotfiles in home directory
| 51 | _TEL=$(~/.claude/skills/gstack/bin/gstack-config get telemetry 2>/dev/null || true) |
Access to hidden dotfiles in home directory
| 52 | _TEL_PROMPTED=$([ -f ~/.gstack/.telemetry-prompted ] && echo "yes" || echo "no") |
Access to hidden dotfiles in home directory
| 57 | _EXPLAIN_LEVEL=$(~/.claude/skills/gstack/bin/gstack-config get explain_level 2>/dev/null || echo "default") |
Access to hidden dotfiles in home directory
| 60 | _QUESTION_TUNING=$(~/.claude/skills/gstack/bin/gstack-config get question_tuning 2>/dev/null || echo "false") |
Access to hidden dotfiles in home directory
| 62 | mkdir -p ~/.gstack/analytics |
Access to hidden dotfiles in home directory
| 64 | echo '{"skill":"setup-gbrain","ts":"'$(date -u +%Y-%m-%dT%H:%M:%SZ)'","repo":"'$(basename "$(git rev-parse --show-toplevel 2>/dev/null)" 2>/dev/null || echo "unknown")'"}' >> ~/.gstack/analytics/skil |
Access to hidden dotfiles in home directory
| 66 | for _PF in $(find ~/.gstack/analytics -maxdepth 1 -name '.pending-*' 2>/dev/null); do |
Access to hidden dotfiles in home directory
| 68 | if [ "$_TEL" != "off" ] && [ -x "~/.claude/skills/gstack/bin/gstack-telemetry-log" ]; then |
Access to hidden dotfiles in home directory
| 69 | ~/.claude/skills/gstack/bin/gstack-telemetry-log --event-type skill_run --skill _pending_finalize --outcome unknown --session-id "$_SESSION_ID" 2>/dev/null || true |
Access to hidden dotfiles in home directory
| 75 | eval "$(~/.claude/skills/gstack/bin/gstack-slug 2>/dev/null)" 2>/dev/null || true |
Access to hidden dotfiles in home directory
| 81 | ~/.claude/skills/gstack/bin/gstack-learnings-search --limit 3 2>/dev/null || true |
Access to hidden dotfiles in home directory
| 86 | ~/.claude/skills/gstack/bin/gstack-timeline-log '{"skill":"setup-gbrain","event":"started","branch":"'"$_BRANCH"'","session":"'"$_SESSION_ID"'"}' 2>/dev/null & |
Access to hidden dotfiles in home directory
| 91 | _ROUTING_DECLINED=$(~/.claude/skills/gstack/bin/gstack-config get routing_declined 2>/dev/null || echo "false") |
Access to hidden dotfiles in home directory
| 102 | _CHECKPOINT_MODE=$(~/.claude/skills/gstack/bin/gstack-config get checkpoint_mode 2>/dev/null || echo "explicit") |
Access to hidden dotfiles in home directory
| 103 | _CHECKPOINT_PUSH=$(~/.claude/skills/gstack/bin/gstack-config get checkpoint_push 2>/dev/null || echo "false") |
Access to hidden dotfiles in home directory
| 111 | In plan mode, allowed because they inform the plan: `$B`, `$D`, `codex exec`/`codex review`, writes to `~/.gstack/`, writes to the plan file, and `open` for generated artifacts. |
Access to hidden dotfiles in home directory
| 119 | If `SKILL_PREFIX` is `"true"`, suggest/invoke `/gstack-*` names. Disk paths stay `~/.claude/skills/gstack/[skill-name]/SKILL.md`. |
Access to hidden dotfiles in home directory
| 121 | If output shows `UPGRADE_AVAILABLE <old> <new>`: read `~/.claude/skills/gstack/gstack-upgrade/SKILL.md` and follow the "Inline upgrade flow" (auto-upgrade if configured, otherwise AskUserQuestion with |
Access to hidden dotfiles in home directory
| 126 | - Missing `~/.claude/skills/gstack/.feature-prompted-continuous-checkpoint`: AskUserQuestion for Continuous checkpoint auto-commits. If accepted, run `~/.claude/skills/gstack/bin/gstack-config set che |
Access to hidden dotfiles in home directory
| 127 | - Missing `~/.claude/skills/gstack/.feature-prompted-model-overlay`: inform "Model overlays are active. MODEL_OVERLAY shows the patch." Always touch marker. |
Access to hidden dotfiles in home directory
| 140 | If B: run `~/.claude/skills/gstack/bin/gstack-config set explain_level terse`. |
Access to hidden dotfiles in home directory
| 144 | rm -f ~/.gstack/.writing-style-prompt-pending |
Access to hidden dotfiles in home directory
| 145 | touch ~/.gstack/.writing-style-prompted |
Access to hidden dotfiles in home directory
| 154 | touch ~/.gstack/.completeness-intro-seen |
Access to hidden dotfiles in home directory
| 167 | If A: run `~/.claude/skills/gstack/bin/gstack-config set telemetry community` |
Access to hidden dotfiles in home directory
| 177 | If B→A: run `~/.claude/skills/gstack/bin/gstack-config set telemetry anonymous` |
Access to hidden dotfiles in home directory
| 178 | If B→B: run `~/.claude/skills/gstack/bin/gstack-config set telemetry off` |
Access to hidden dotfiles in home directory
| 182 | touch ~/.gstack/.telemetry-prompted |
Access to hidden dotfiles in home directory
| 195 | If A: run `~/.claude/skills/gstack/bin/gstack-config set proactive true` |
Access to hidden dotfiles in home directory
| 196 | If B: run `~/.claude/skills/gstack/bin/gstack-config set proactive false` |
Access to hidden dotfiles in home directory
| 200 | touch ~/.gstack/.proactive-prompted |
Access to hidden dotfiles in home directory
| 241 | If B: run `~/.claude/skills/gstack/bin/gstack-config set routing_declined true` and say they can re-enable with `gstack-config set routing_declined false`. |
Access to hidden dotfiles in home directory
| 245 | If `VENDORED_GSTACK` is `yes`, warn once via AskUserQuestion unless `~/.gstack/.vendoring-warned-$SLUG` exists: |
Access to hidden dotfiles in home directory
| 257 | 3. Run `~/.claude/skills/gstack/bin/gstack-team-init required` (or `optional`) |
Access to hidden dotfiles in home directory
| 259 | 5. Tell the user: "Done. Each developer now runs: `cd ~/.claude/skills/gstack && ./setup --team`" |
Access to hidden dotfiles in home directory
| 265 | eval "$(~/.claude/skills/gstack/bin/gstack-slug 2>/dev/null)" 2>/dev/null || true |
Access to hidden dotfiles in home directory
| 266 | touch ~/.gstack/.vendoring-warned-${SLUG:-unknown} |
Access to hidden dotfiles in home directory
| 369 | _BRAIN_SYNC_BIN="~/.claude/skills/gstack/bin/gstack-brain-sync" |
Access to hidden dotfiles in home directory
| 370 | _BRAIN_CONFIG_BIN="~/.claude/skills/gstack/bin/gstack-config" |
Access to hidden dotfiles in home directory
| 474 | If A/B and `~/.gstack/.git` is missing, ask whether to run `gstack-artifacts-init`. Do not block the skill. |
Access to hidden dotfiles in home directory
| 479 | "~/.claude/skills/gstack/bin/gstack-brain-sync" --discover-new 2>/dev/null || true |
Access to hidden dotfiles in home directory
| 480 | "~/.claude/skills/gstack/bin/gstack-brain-sync" --once 2>/dev/null || true |
Access to hidden dotfiles in home directory
| 523 | eval "$(~/.claude/skills/gstack/bin/gstack-slug 2>/dev/null)" |
Access to hidden dotfiles in home directory
| 678 | Before each AskUserQuestion, choose `question_id` from `scripts/question-registry.ts` or `{skill}-{slug}`, then run `~/.claude/skills/gstack/bin/gstack-question-preference --check "<id>"`. `AUTO_DECID |
Access to hidden dotfiles in home directory
| 682 | ~/.claude/skills/gstack/bin/gstack-question-log '{"skill":"setup-gbrain","question_id":"<id>","question_summary":"<short>","category":"<approval|clarification|routing|cherry-pick|feedback-loop>","door |
Access to hidden dotfiles in home directory
| 691 | ~/.claude/skills/gstack/bin/gstack-question-preference --write '{"question_id":"<id>","preference":"<pref>","source":"inline-user","free_text":"<optional original words>"}' |
Access to hidden dotfiles in home directory
| 711 | ~/.claude/skills/gstack/bin/gstack-learnings-log '{"skill":"SKILL_NAME","type":"operational","key":"SHORT_KEY","insight":"DESCRIPTION","confidence":N,"source":"observed"}' |
Access to hidden dotfiles in home directory
| 721 | `~/.gstack/analytics/`, matching preamble analytics writes. |
Access to hidden dotfiles in home directory
| 728 | rm -f ~/.gstack/analytics/.pending-"$_SESSION_ID" 2>/dev/null || true |
Access to hidden dotfiles in home directory
| 730 | ~/.claude/skills/gstack/bin/gstack-timeline-log '{"skill":"SKILL_NAME","event":"completed","branch":"'$(git branch --show-current 2>/dev/null || echo unknown)'","outcome":"OUTCOME","duration_s":"'"$_T |
Access to hidden dotfiles in home directory
| 733 | echo '{"skill":"SKILL_NAME","duration_s":"'"$_TEL_DUR"'","outcome":"OUTCOME","browse":"USED_BROWSE","session":"'"$_SESSION_ID"'","ts":"'$(date -u +%Y-%m-%dT%H:%M:%SZ)'"}' >> ~/.gstack/analytics/skill- |
Access to hidden dotfiles in home directory
| 736 | if [ "$_TEL" != "off" ] && [ -x ~/.claude/skills/gstack/bin/gstack-telemetry-log ]; then |
Access to hidden dotfiles in home directory
| 737 | ~/.claude/skills/gstack/bin/gstack-telemetry-log \ |
Access to hidden dotfiles in home directory
| 747 | In plan mode before ExitPlanMode: if the plan file lacks `## GSTACK REVIEW REPORT`, run `~/.claude/skills/gstack/bin/gstack-review-read` and append the standard runs/status/findings table. With `NO_RE |
Access to hidden dotfiles in home directory
| 784 | ~/.claude/skills/gstack/bin/gstack-gbrain-detect |
Access to hidden dotfiles in home directory
| 849 | ~/.claude/skills/gstack/bin/gstack-gbrain-install |
Access to hidden dotfiles in home directory
| 869 | . ~/.claude/skills/gstack/bin/gstack-gbrain-lib.sh |
Access to hidden dotfiles in home directory
| 877 | printf '%s' "$GBRAIN_POOLER_URL" | ~/.claude/skills/gstack/bin/gstack-gbrain-supabase-verify - |
Access to hidden dotfiles in home directory
| 890 | now persisted in `~/.gbrain/config.json` at mode 0600 by gbrain itself. |
Access to hidden dotfiles in home directory
| 908 | . ~/.claude/skills/gstack/bin/gstack-gbrain-lib.sh |
Access to hidden dotfiles in home directory
| 921 | orgs=$(~/.claude/skills/gstack/bin/gstack-gbrain-supabase-provision list-orgs --json) |
Access to hidden dotfiles in home directory
| 950 | result=$(~/.claude/skills/gstack/bin/gstack-gbrain-supabase-provision \ |
Access to hidden dotfiles in home directory
| 953 | ~/.claude/skills/gstack/bin/gstack-gbrain-supabase-provision wait "$INFLIGHT_REF" --json |
Access to hidden dotfiles in home directory
| 954 | pooler=$(~/.claude/skills/gstack/bin/gstack-gbrain-supabase-provision \ |
Access to hidden dotfiles in home directory
| 1011 | . ~/.claude/skills/gstack/bin/gstack-gbrain-lib.sh |
Access to hidden dotfiles in home directory
| 1021 | ~/.claude/skills/gstack/bin/gstack-gbrain-mcp-verify "$MCP_URL") |
Access to hidden dotfiles in home directory
| 1047 | resting state in `~/.claude.json` mode 0600. |
Access to hidden dotfiles in home directory
| 1108 | ~10ms. The token's resting state is `~/.claude.json` (mode 0600 — Claude |
Access to hidden dotfiles in home directory
| 1147 | current_tier=$(~/.claude/skills/gstack/bin/gstack-gbrain-repo-policy get) |
Access to hidden dotfiles in home directory
| 1165 | ~/.claude/skills/gstack/bin/gstack-gbrain-repo-policy set "$REMOTE" "$TIER" |
Access to hidden dotfiles in home directory
| 1195 | `~/.gstack-artifacts-remote.txt`. Pass `--url-form-supported` from Step 4c's |
Access to hidden dotfiles in home directory
| 1200 | ~/.claude/skills/gstack/bin/gstack-artifacts-init --url-form-supported "$URL_FORM" |
Access to hidden dotfiles in home directory
| 1201 | ~/.claude/skills/gstack/bin/gstack-config set artifacts_sync_mode artifacts-only |
Access to hidden dotfiles in home directory
| 1219 | any gbrain client. The helper creates a `git worktree` of `~/.gstack/`, |
Access to hidden dotfiles in home directory
| 1223 | Capture the database URL out of `~/.gbrain/config.json` first and pass it |
Access to hidden dotfiles in home directory
| 1225 | `~/.gbrain/config.json` mid-sync (e.g., concurrent `gbrain init` runs |
Access to hidden dotfiles in home directory
| 1232 | c = json.load(open(os.path.expanduser('~/.gbrain/config.json'))) |
Access to hidden dotfiles in home directory
| 1237 | ~/.claude/skills/gstack/bin/gstack-gbrain-source-wireup --strict \ |
Access to hidden dotfiles in home directory
| 1242 | or no `~/.gstack/.git` yet) so the user sees the failure rather than silently |
Access to hidden dotfiles in home directory
| 1262 | curated `~/.gstack/` artifacts into gbrain so the retrieval surface |
Access to hidden dotfiles in home directory
| 1267 | ~/.claude/skills/gstack/bin/gstack-memory-ingest --probe |
Access to hidden dotfiles in home directory
| 1311 | ~/.claude/skills/gstack/bin/gstack-config set transcript_ingest_mode <choice> |
Access to hidden dotfiles in home directory
| 1312 | ~/.claude/skills/gstack/bin/gstack-gbrain-sync --full --no-brain-sync |
Access to hidden dotfiles in home directory
| 1340 | - Token: stored in ~/.claude.json (do not commit; never written to CLAUDE.md) |
Access to hidden dotfiles in home directory
| 1347 | in to git in many projects). It lives only in `~/.claude.json` where |
Access to hidden dotfiles in home directory
| 1356 | - Config file: ~/.gbrain/config.json (mode 0600) |
Access to hidden dotfiles in home directory
| 1383 | - `~/.gstack/` curated memory (registered as `gstack-brain-<user>` source via |
Access to hidden dotfiles in home directory
| 1457 | ~/.claude/skills/gstack/bin/gstack-gbrain-detect 2>/dev/null || true |
Access to hidden dotfiles in home directory
| 1458 | ~/.claude/skills/gstack/bin/gstack-config get transcript_ingest_mode 2>/dev/null || echo "off" |
Access to hidden dotfiles in home directory
| 1459 | ~/.claude/skills/gstack/bin/gstack-config get artifacts_sync_mode 2>/dev/null || echo "off" |
Access to hidden dotfiles in home directory
| 1460 | [ -f ~/.gstack/.gbrain-sync-state.json ] && cat ~/.gstack/.gbrain-sync-state.json || echo "{}" |
Access to hidden dotfiles in home directory
| 1527 | `ref` doesn't match the user's active `~/.gbrain/config.json` pooler URL. |
Access to hidden dotfiles in home directory
| 1570 | that holds the pooler URL long-term is `~/.gbrain/config.json`, written |
Access to hidden dotfiles in home directory
| 1575 | - **Concurrent-run lock.** At skill start, `mkdir ~/.gstack/.setup-gbrain.lock.d` |
Access to hidden dotfiles in home directory
| 1577 | is running. Wait for it, or `rm -rf ~/.gstack/.setup-gbrain.lock.d` if |
Unicode escape sequences
| 331 | writes `\u3103` thinking it is 管 U+7BA1, but `\u3103` is |
External URL reference
| 150 | If `LAKE_INTRO` is `no`: say "gstack follows the **Boil the Lake** principle — do the complete thing when AI makes marginal cost near-zero. Read more: https://garryslist.org/posts/boil-the-ocean" Offe |
External URL reference
| 153 | open https://garryslist.org/posts/boil-the-ocean |
External URL reference
| 902 | > https://supabase.com/dashboard/account/tokens — we recommend revoking |
External URL reference
| 925 | organizations. Create one at https://supabase.com/dashboard, then re-run |
External URL reference
| 943 | echo "Delete: https://supabase.com/dashboard/project/$INFLIGHT_REF"; \ |
External URL reference
| 966 | > https://supabase.com/dashboard/account/tokens — we've already discarded |
External URL reference
| 973 | 1. Login at https://supabase.com/dashboard |
External URL reference
| 1001 | Paste your gbrain MCP URL (e.g. https://wintermute.tail554574.ts.net:3131/mcp): |
External URL reference
| 1005 | a credential). Validate it starts with `https://` (require TLS for any |
External URL reference
| 1006 | non-loopback host); refuse `http://` for non-localhost. |
External URL reference
| 1523 | https://api.supabase.com/v1/projects) |
External URL reference
| 1535 | https://api.supabase.com/v1/projects/$REF |