git-worktree
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The script
scripts/worktree-manager.shprogrammatically identifies and copies all environment configuration files (e.g.,.env,.env.local,.env.test) from the main repository root to new worktree directories. This behavior involves accessing and duplicating sensitive credentials without individual user approval.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its processing of branch names derived from external sources.\n - Ingestion points: The
branch_namevariable inscripts/worktree-manager.shis populated from user input or the Git environment.\n - Boundary markers: There are no explicit boundary markers or instructions to ignore embedded commands within the branch names being processed.\n
- Capability inventory: The skill executes several powerful shell commands including
git worktree add,mkdir,cp, andgit pull(documented inscripts/worktree-manager.sh).\n - Sanitization: While directory names are partially sanitized by replacing slashes with underscores, the branch names themselves are used directly in Git commands with only standard shell quoting.\n- [COMMAND_EXECUTION]: The skill relies on a standalone Bash script (
worktree-manager.sh) to perform all operations, including system-level directory creation and Git synchronization.
Audit Metadata