git-worktree-workflow
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill instructs the agent to execute shell commands using unvalidated variables like 'branch-name' and 'WorktreeName'. An attacker could name a branch with shell metacharacters (e.g., '; rm -rf /') to achieve arbitrary command execution when the agent processes the branch.
- [REMOTE_CODE_EXECUTION] (MEDIUM): The installation guide suggests symlinking a script ('worktree.sh') from an absolute path not contained within the provided skill files. Executing unverified local scripts is a significant security risk.
- [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted data from the local git environment (branch names, worktree lists) and possesses write/execute capabilities (git, gh, ln). There are no boundary markers or sanitization logic to prevent malicious data from hijacking the agent's instructions.
- [DATA_EXFILTRATION] (LOW): The use of 'git push' and 'gh pr create' provides a functional network path for data exfiltration. While standard for the skill's purpose, this capability could be exploited if the agent's logic is subverted.
Recommendations
- AI detected serious security threats
Audit Metadata