using-git-worktrees

[Skill Scanner] Credential file access detected All findings: [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] Functionally coherent and aligned with the stated purpose (creating isolated git worktrees and preparing them). Not malicious by itself, but contains moderate supply-chain and repository-mutation risks: automatic dependency installs (network fetch + script execution) and automatic .gitignore commits without explicit per-action confirmation. Recommend requiring explicit user confirmation before mutating the repo and before running any dependency installs or tests, running installs in a sandbox or using lockfiles, and validating user-provided LOCATION/BRANCH_NAME to avoid path/command injection. Overall suitable for use with interactive user consent; avoid running unattended. LLM verification: The skill implements an expected developer workflow for creating isolated git worktrees with safety checks and baseline verification. It contains no clear indicators of obfuscated code, hardcoded credentials, remote exfiltration instructions, or backdoors. Main security concerns are operational and supply-chain: (1) automatic commits to .gitignore without explicit confirmation, and (2) running dependency installers and tests (which execute untrusted project/dependency scripts) without sandboxing