Skills
skills/ashe-li/agent-skills/worktree/Gen Agent Trust Hub

worktree

Pass

Audited by Gen Agent Trust Hub on Apr 9, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The create subcommand uses the <name> parameter from $ARGUMENTS directly in shell commands (e.g., git worktree add -b worktree-<name> ~/Documents/<repo>-<name> <base-branch>) without sanitization or escaping. This allows for potential command injection if shell metacharacters (e.g., ; rm -rf /) are included in the name argument.
  • [PROMPT_INJECTION]: The skill ingests untrusted data from GitHub PRs to automate worktree cleanup, creating a surface for indirect prompt injection. Evidence Chain: 1. Ingestion points: External data fetched via gh pr list in SKILL.md. 2. Boundary markers: Absent; the skill does not use delimiters to isolate external content. 3. Capability inventory: Shell execution via Bash tool for Git and file operations in SKILL.md. 4. Sanitization: Absent; the logic directly processes the raw output from the GitHub CLI tool.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 9, 2026, 02:16 AM