using-git-worktrees
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill ingests untrusted data from local project files (e.g., CLAUDE.md, package.json, requirements.txt) and uses their presence to trigger high-privilege operations like package installation and test execution. Evidence: The 'Creation Steps' section automatically runs 'npm install' or 'pip install' if specific files are found. An attacker can include malicious scripts in these files that execute when the agent attempts to set up the worktree.
- Unverifiable Dependencies (MEDIUM): The skill performs automatic dependency installation from public registries. While using standard tools, it does not verify the integrity or source of the project configuration files before execution, leading to potential supply chain attacks if the repo being worked on is untrusted.
- Command Execution (MEDIUM): The skill dynamically constructs shell commands using repository-derived strings (project names, branch names) and directory paths. Evidence: The path construction logic 'path="$LOCATION/$BRANCH_NAME"' and subsequent execution of 'git worktree add' and 'cd' use variables that could be manipulated to achieve directory traversal or command injection if branch names are maliciously crafted.
Recommendations
- AI detected serious security threats
Audit Metadata