git-worktree
Pass
Audited by Gen Agent Trust Hub on May 4, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill executes Git and shell commands to manage the worktree lifecycle. It includes multiple safety checks to prevent accidental data loss or system errors:
- Validates repository root using
git rev-parse --show-toplevelbefore performing any operations. - Checks the status of a worktree (
git status --short) before removal to ensure no uncommitted changes are lost. - Implements a multi-step logic for deleting a worktree the user is currently inside: it resolves the target path, moves the execution context to a safe main worktree, and then executes the removal command.
- [INDIRECT_PROMPT_INJECTION]: The skill ingests natural language input (task intent, branch names) which is used to construct shell commands and directory paths. It proactively addresses this attack surface:
- Ingestion points: User descriptions of tasks or branch names provided during prompts (
rules/worktree-lifecycle.md, Section 2). - Boundary markers: Instructions specify using a "sanitized slug algorithm" to transform user input into safe labels.
- Capability inventory: Shell commands including
git worktree add,mkdir, andprintfare used across the lifecycle rules (rules/worktree-lifecycle.md). - Sanitization: Rule 2 defines a strict sanitization process: lowercasing input, replacing shell-sensitive characters and whitespace with hyphens, and explicitly rejecting reserved labels like
.,.., or.gitto prevent path traversal or command injection. - [EXTERNAL_DOWNLOADS]: The
references/source-survey.mdfile contains a curated list of external URLs for documentation and community tools. These references target well-known technology companies and services (such as Git-SCM, Anthropic, JetBrains, Microsoft, and official package registries) and are documented neutrally as research rationale with no automated execution logic.
Audit Metadata