daft-worktree-workflow
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The toolkit is designed to execute Git commands and user-defined lifecycle hooks.
- Evidence: 'src/hooks/yaml_executor/command.rs' implements hook execution using 'sh -c'.
- Evidence: 'src/exec.rs' implements the '-x/--exec' flag for arbitrary command execution in new worktrees.
- [EXTERNAL_DOWNLOADS]: The project's configuration files ('daft.yml') and documentation include instructions to download and install well-known development tools and the toolkit's own installer.
- Evidence: 'daft.yml' contains jobs to download and install Homebrew and Mise from their official domains.
- Evidence: 'README.md' and 'installation.md' provide installer scripts for macOS, Linux, and Windows hosted on the project's official GitHub repository.
- [SAFE]: No malicious behavior or prompt injection patterns were found. The tool includes defensive coding practices, such as sanitizing repository names to prevent path traversal vulnerabilities, and requires explicit user trust before running hooks from a repository.
Audit Metadata