Skills
skills/dokhacgiakhoa/antigravity-ide/using-git-worktrees/Gen Agent Trust Hub

using-git-worktrees

Warn

Audited by Gen Agent Trust Hub on Apr 8, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses shell variables $BRANCH_NAME, $LOCATION, and $project directly in command strings within sub-skills/2-create-worktree.md. Specifically, the command git worktree add "$path" -b "$BRANCH_NAME" uses these variables without sanitization. If a user or an external source (like a branch name from a PR) provides input containing shell metacharacters or command flags (e.g., branch names starting with --), it could lead to arbitrary command execution or unexpected tool behavior.
  • [REMOTE_CODE_EXECUTION]: The script sub-skills/3-run-project-setup.md automatically runs package managers like npm install, pip install, poetry install, and go mod download based on the presence of configuration files. Similarly, sub-skills/4-verify-clean-baseline.md executes test runners like npm test, pytest, and go test. These operations execute scripts and code defined within the project repository or downloaded from external registries, which can be exploited by a malicious repository to run arbitrary code on the host system.
  • [EXTERNAL_DOWNLOADS]: The skill facilitates the download of external dependencies through multiple package managers (npm, pip, poetry, cargo, go) during the automatic setup phase in sub-skills/3-run-project-setup.md. This introduces supply chain risks if dependencies are not pinned to specific versions or if the project uses malicious package names.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection in sub-skills/2-check-claudemd.md by reading and following instructions from a CLAUDE.md file located within the target repository.
  • Ingestion points: Reads directory preferences from CLAUDE.md using grep in sub-skills/2-check-claudemd.md.
  • Boundary markers: None. The skill assumes the preferences found in the file are authoritative.
  • Capability inventory: File system writes (git worktree add), network operations (via npm install/pip install), and shell command execution (npm test, etc.).
  • Sanitization: No validation or sanitization is performed on the preference string extracted from CLAUDE.md before it is used to determine the directory location for the worktree.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 8, 2026, 01:54 PM