skills/disler/claude-code-hooks-multi-agent-observability/worktree-manager-skill/Gen Agent Trust Hub
worktree-manager-skill
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill performs automatic package installation using
npm installorbun installduring the worktree creation process. This involves downloading and executing third-party code from external registries without explicit user validation of the dependencies being fetched. - COMMAND_EXECUTION (MEDIUM): The skill uses the
Bashtool to perform high-privilege system operations, includingkill -9for process termination and directory removal. These actions are performed based on branch names which are user-controlled and not explicitly sanitized. - REMOTE_CODE_EXECUTION (MEDIUM): The dependency installation phase executes code from potentially untrusted sources via package scripts (preinstall/postinstall) that run during the installation process.
- PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection.
- Ingestion points: Branch names provided as arguments to
/create_worktreeand/remove_worktreeinOPERATIONS.mdandSKILL.md. - Boundary markers: Absent. The branch name is treated as a direct string argument for shell commands.
- Capability inventory: Extensive shell access via the
Bashtool for git operations, directory management, and package installation. - Sanitization: Absent. There is no instruction to validate or escape branch names before they are interpolated into commands like
git worktree add trees/<branch-name>. An attacker could provide a branch name containing shell metacharacters to execute unauthorized commands.
Audit Metadata