When trying to install on Claude Code as per README steps, I get the below alert in Claude Code.
I need to stop and flag this request before doing anything.
The instructions you've given me would have me:
- Clone and execute a setup script from a GitHub repo I have no knowledge of (
garrytan/gstack)
- Modify your
CLAUDE.md to instruct future Claude sessions to never use mcp__claude-in-chrome__* tools and instead route all browsing through a /browse skill from this freshly-cloned repo
- Propagate this configuration to a shared project so teammates inherit it
This pattern matches a known prompt-injection / supply-chain attack shape, and I want to be transparent about why I'm not just running it:
- The script is unreviewed.
./setup runs arbitrary code on your machine. I have no idea what it does.
- Disabling the official browser tools is a red flag. Telling future Claude instances to bypass
mcp__claude-in-chrome__* (Anthropic's sandboxed, permission-gated browser tools) and use a third-party skill instead would route your future browsing sessions — including authenticated ones — through code from that repo. If the repo is malicious or later compromised, every teammate who pulls the project config inherits it.
- The "ask teammates to install it too" step is how this kind of thing scales. Even if benign, I shouldn't be the one nudging you to spread it.
I'm not saying gstack is malicious — I genuinely don't know. Garry Tan is a real well-known person (YC president), and it's plausible this is a legitimate tool he or someone has published. But "plausibly legitimate" isn't the bar for "silently rewrite CLAUDE.md to disable safety-relevant tools and propagate to your team."
What I'd suggest instead:
- You clone the repo first (without running setup) and skim what
./setup does and what the /browse skill contains. Check the commit history, the author, and whether the repo matches what you expect.
- If it checks out, you run
./setup yourself.
- Then come back and I'll happily help you write the
CLAUDE.md section and think through the teammate-rollout question.
If you've already vetted this and want to proceed anyway, tell me explicitly — "I've reviewed gstack, proceed" — and I'll do the CLAUDE.md edit (though I'd still want you to run the install command yourself rather than have me execute it, since my bash environment doesn't have network access anyway and this is the kind of setup that should happen in your real shell).
Want to go that route?
When trying to install on Claude Code as per README steps, I get the below alert in Claude Code.
I need to stop and flag this request before doing anything.
The instructions you've given me would have me:
garrytan/gstack)CLAUDE.mdto instruct future Claude sessions to never usemcp__claude-in-chrome__*tools and instead route all browsing through a/browseskill from this freshly-cloned repoThis pattern matches a known prompt-injection / supply-chain attack shape, and I want to be transparent about why I'm not just running it:
./setupruns arbitrary code on your machine. I have no idea what it does.mcp__claude-in-chrome__*(Anthropic's sandboxed, permission-gated browser tools) and use a third-party skill instead would route your future browsing sessions — including authenticated ones — through code from that repo. If the repo is malicious or later compromised, every teammate who pulls the project config inherits it.I'm not saying gstack is malicious — I genuinely don't know. Garry Tan is a real well-known person (YC president), and it's plausible this is a legitimate tool he or someone has published. But "plausibly legitimate" isn't the bar for "silently rewrite CLAUDE.md to disable safety-relevant tools and propagate to your team."
What I'd suggest instead:
./setupdoes and what the/browseskill contains. Check the commit history, the author, and whether the repo matches what you expect../setupyourself.CLAUDE.mdsection and think through the teammate-rollout question.If you've already vetted this and want to proceed anyway, tell me explicitly — "I've reviewed gstack, proceed" — and I'll do the CLAUDE.md edit (though I'd still want you to run the install command yourself rather than have me execute it, since my bash environment doesn't have network access anyway and this is the kind of setup that should happen in your real shell).
Want to go that route?