worktree-dispatch
Fail
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill instructions provide a template for running tasks in background tmux sessions that is vulnerable to command injection. Specifically, the template 'tmux new-session -d -s "wt switch -c -x claude -- 'prompt'"' uses single quotes to wrap the user prompt inside a double-quoted string. An attacker can use a single quote in their task description to break out of the command context and execute arbitrary shell commands.
- PROMPT_INJECTION (LOW): The skill creates a surface for indirect prompt injection by delegating unvalidated user input to secondary agents. 1. Ingestion points: User tasks provided via the $ARGUMENTS variable. 2. Boundary markers: Absent; the skill does not wrap the delegated prompts in delimiters or instructions to ignore embedded commands. 3. Capability inventory: Spawning subprocesses and new agent sessions via wt and tmux. 4. Sanitization: None; the skill uses raw interpolation of user input into both temporary files and active shell commands.
Recommendations
- AI detected serious security threats
Audit Metadata