worktree
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill constructs shell commands using the
<feature-description>argument without any sanitization or escaping. An attacker could provide a malicious feature description containing shell metacharacters (e.g.,;,$(...), or|) to execute arbitrary code on the system. - [CREDENTIALS_UNSAFE] (HIGH): The skill is designed to locate and symlink Rails
master.keyand other credential files. These files are highly sensitive secrets used to decrypt application data. The combination of credential access and command injection capabilities creates a critical risk of secret exfiltration. - [PROMPT_INJECTION] (HIGH): This skill provides a significant surface for Indirect Prompt Injection (Category 8). 1. Ingestion points: Untrusted
<feature-description>argument. 2. Boundary markers: None present. 3. Capability inventory: File system modification (mkdir,ln) and repository manipulation (git worktree). 4. Sanitization: None. The lack of validation on the feature slug allows it to influence the shell environment and file paths directly.
Recommendations
- AI detected serious security threats
Audit Metadata