using-git-worktrees
Warn
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill automatically invokes package managers (
npm install,pip install,poetry install,go mod download) based on the presence of project manifest files. This behavior can be exploited to perform remote code execution if a project contains a malicious manifest targeting public registries. - COMMAND_EXECUTION (MEDIUM): The skill executes test suites (
npm test,cargo test,pytest,go test) to verify a clean workspace baseline. This involves executing arbitrary code located within the repository's test files, which is a significant risk when working on untrusted codebases or branches. - PROMPT_INJECTION (LOW): The skill demonstrates an indirect prompt injection surface by reading configuration preferences from
CLAUDE.mdand repository manifests without adequate sanitization or boundary enforcement. - Ingestion points:
CLAUDE.md(read via grep),package.json,Cargo.toml,requirements.txt,pyproject.toml,go.mod. - Boundary markers: Absent; the skill does not utilize delimiters or specific warnings to ignore embedded instructions within these data sources.
- Capability inventory: File system modification (
git worktree add,git commit), network access (via package managers), and arbitrary shell execution (via test runners). - Sanitization: Absent; paths and configuration values derived from repository files are used directly in shell commands.
Audit Metadata