worktree-manager-skill
Pass
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill instructs the agent to perform multiple system-level operations using the Bash tool. These include starting detached background processes for servers and clients, using
kill -9to terminate processes by PID, and managing directory structures withrm -rf. These are standard for the tool's purpose but carry inherent risks if misused. - [EXTERNAL_DOWNLOADS] (LOW): The creation process automatically triggers
npm installorbun install. While standard for environment setup, this results in the download and execution of external packages which could potentially contain malicious post-install scripts if the repository being worked on is untrusted. - [DYNAMIC_EXECUTION] (LOW): The skill configures
.claude/settings.jsonfiles within new worktrees that includehooksfor prompt submission. This dynamically alters the agent's behavior and execution environment for that specific directory. - [INDIRECT_PROMPT_INJECTION] (LOW): The skill processes user-provided branch names as parameters for bash commands. If branch names are not properly sanitized by the underlying slash command implementation, they could serve as an injection vector.
- Ingestion points: Branch name parameters in
/create_worktreeand/remove_worktreecommands. - Boundary markers: None explicitly mentioned in the instructions provided to the agent.
- Capability inventory: Bash execution, directory removal, process killing, file writing.
- Sanitization: Not explicitly documented in the operational instructions.
Audit Metadata