git-worktree

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill fetches untrusted, user-generated content — e.g., GH PR title/body via "gh pr view" in Workflow A (SKILL.md and create-worktree/create-and-open.sh) and arbitrary repository URLs via the Bare Clone flow (scripts/bare-clone.sh) — and injects that content into the assistant context (passed as --context and written to CLAUDE.local.md), which the agent is expected to read and which can materially influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill invokes gh pr view at runtime to fetch a GitHub PR's title/body (i.e. the PR URL like https://github.com/.../pull/{NUMBER}), and that fetched PR content is injected into the --context / CLAUDE.local.md which directly controls the agent's prompt/context.