using-git-worktrees
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The skill automatically runs installation and build commands (
npm install,pip install,poetry install,cargo build) inside a new worktree. Malicious repositories can exploit this by defining arbitrary code in pre-install hooks or setup scripts. - [COMMAND_EXECUTION] (HIGH): The skill executes test suites (
npm test,cargo test,pytest,go test) automatically. If the repository is untrusted, this provides an immediate vector for executing malicious code under the guise of a baseline test check. - [INDIRECT_PROMPT_INJECTION] (HIGH): The skill has a high-risk attack surface as it ingests untrusted data from files like
CLAUDE.md,package.json, andrequirements.txtto determine its behavior and setup steps. Evidence: 1. Ingestion points:CLAUDE.md,package.json,Cargo.toml. 2. Boundary markers: Absent. 3. Capabilities: Arbitrary command execution and file modification (.gitignore). 4. Sanitization: Absent. - [EXTERNAL_DOWNLOADS] (MEDIUM): The skill triggers automated downloads from external registries (npm, PyPI, Cargo) without verifying the contents or asking for user confirmation of the dependency tree.
- [COMMAND_EXECUTION] (MEDIUM): Shell commands are constructed using environment-derived variables like
$BRANCH_NAME. Although variables are quoted, there is a risk of injection if the agent is manipulated into using malicious branch names or project paths.
Recommendations
- AI detected serious security threats
Audit Metadata