Security audit: session directory scanning + telemetry transparency concerns

[rumi-ali]

Summary

Ran a security audit of gstack v0.11.17.0. No malicious behavior found — gstack does not access Claude conversations and operates as advertised. However, a few findings are worth discussing from a transparency perspective.

Findings

1. gstack-global-discover reads ~/.claude/projects/ session files

bin/gstack-global-discover reads the first 8KB of JSONL files in ~/.claude/projects/ to extract the cwd (working directory) field. It also scans ~/.codex/sessions/ and ~/.gemini/tmp/.

While it does not read conversation content, it does learn which repositories a user works in and when they were last active. This is used by /retro but isn't clearly disclosed during installation.

Suggestion: Document this access pattern in the README or during first-run onboarding. Users should know gstack reads session metadata from ~/.claude/projects/ before opting in.

2. Local telemetry always writes regardless of tier

skill-usage.jsonl gets entries on every skill invocation even when telemetry is set to off. The local file includes _repo_slug (repo basename) and _branch (git branch name).

These fields are stripped before remote sync, which is good. But users who set telemetry: off likely expect no data is recorded anywhere.

Suggestion: When telemetry: off, skip local JSONL writes entirely — or clearly document that local logging still occurs.

3. Version check phones home on every session

Every skill invocation triggers a network call to raw.githubusercontent.com and (if telemetry is not off) to Supabase. The version check sends OS and gstack version.

Suggestion: Respect telemetry: off for the Supabase ping. The GitHub raw check is reasonable but could be documented.

4. Onboarding nudges toward community telemetry

The first-run preamble uses persuasive framing to encourage the "community" telemetry tier. This is a soft concern — it's one-time and users can decline — but the framing could be more neutral.

What's working well

• Conversation content is never accessed
• No writes to ~/.claude/settings.json or hooks
• No credential/API key exfiltration
• RLS policies deny anon reads on telemetry tables
• _repo_slug and _branch confirmed stripped before remote sync
• Source available for all scripts including the compiled binary
• installation_id uses random UUID (fixed from hostname hash in v0.11.16.1)

Environment

• gstack v0.11.17.0
• macOS (Darwin 25.2.0)
• Telemetry tier: anonymous

Thanks for building this in the open — these are transparency suggestions, not accusations. Happy to discuss.