git-worktree
Warn
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/worktree-manager.shperforms several shell operations includinggit checkout,git pull,git worktree add, andgit worktree remove. These actions are driven by user or agent-provided arguments, allowing for direct interaction with the repository's state. - [DATA_EXFILTRATION]: The skill explicitly targets and copies sensitive configuration files (specifically those matching the
.env*pattern) from the repository root to subdirectory worktrees. Although this is a documented feature intended to maintain development parity, it results in the duplication of secrets across the local filesystem, increasing the potential exposure risk of credentials. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through the
branch_nameargument. If the agent receives a malicious branch name from an untrusted external source (such as a pull request title), the lack of validation in the script could allow for path traversal. For example, a branch name containing../../would enable the script to create directories or copy sensitive files outside of the intended.worktrees/directory. - Ingestion points: The
branch_nameandfrom_branchparameters inscripts/worktree-manager.sh(lines 62, 143). - Boundary markers: None. The script does not use delimiters or instructions to ignore embedded commands in the input strings.
- Capability inventory: The script possesses capabilities to create directories (
mkdir), execute Git commands (git worktree), and copy files (cp). - Sanitization: While variables are double-quoted to prevent word splitting, there is no validation or sanitization of the string content to prevent path traversal or shell manipulation.
Audit Metadata