fork
Warn
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill dynamically constructs Bash commands using user-provided arguments like
<branch>and<ref>. If a user provides a malicious branch name containing shell metacharacters (e.g.,;,&,|), it could lead to arbitrary command execution during the execution of thewtcommand or during context handoff preparation. - [COMMAND_EXECUTION]: In Background mode, the skill executes a background process where the log redirection path is constructed using the user-provided branch name (
/tmp/fork-<branch>.log). This provides an additional vector for command injection or unauthorized file system writes via shell redirection. - [PROMPT_INJECTION]: The skill implements an indirect prompt injection surface when generating the session handoff.
- Ingestion points: Session history components (Current Task, Progress, Decisions) are extracted from the current conversation and stored in a file named
handoff.md(or.context/handoff.md). - Boundary markers: Absent; the handoff uses standard Markdown headers but lacks explicit safety delimiters or instructions to the receiving agent to treat the data as untrusted.
- Capability inventory: The skill uses a Bash tool to execute worktree commands and file operations, alongside various team and task management tools (
TeamCreate,TaskCreate,Task,TaskUpdate) for delegating work. - Sanitization: Absent; user-influenced context is interpolated directly into the handoff template without filtering for potentially malicious instructions that could manipulate the behavior of the newly spawned agent session.
Audit Metadata