worktree
Warn
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is instructed to run "standard install/build commands" (e.g., based on
package.json,requirements.txt, etc.) if a missing item is detected. This allows for the execution of arbitrary scripts defined within the project's dependency manifests (likeprepareorpostinstall), which could be malicious if the project files are untrusted. - [PROMPT_INJECTION]: The skill extracts paths and information from
$ARGUMENTS, which may contain error messages from external tools. There are no boundary markers or sanitization logic to prevent the agent from following instructions embedded within these error messages (Indirect Prompt Injection). - Ingestion points: The
$ARGUMENTSvariable is used to parse missing items and error messages (SKILL.md). - Boundary markers: Absent. No delimiters are used to separate untrusted user data from instructions.
- Capability inventory: Executes
git,perl,ln, and arbitrary build scripts via subprocess across all operational steps. - Sanitization: While it includes basic path traversal checks (canonicalization), it lacks sanitization or escaping for embedded natural language instructions in the input data.
- [COMMAND_EXECUTION]: The skill executes shell commands (
perl,ln,git) using double-quoted paths derived from$ARGUMENTS. If the paths contain shell metacharacters like backticks or command substitution sequences, it could lead to arbitrary command execution on systems where the shell interprets these inside double quotes.
Audit Metadata