using-git-worktrees
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is highly vulnerable to tool output poisoning and indirect injection through repository content. It ingests untrusted data to determine its logic and command execution flow without verification.\n
- Ingestion points: CLAUDE.md (for directory preferences), package.json, Cargo.toml, requirements.txt, pyproject.toml, and go.mod.\n
- Boundary markers: Absent. The agent is not instructed to isolate or ignore instructions embedded in these files.\n
- Capability inventory: Shell execution of git, npm, pip, poetry, cargo, and go tools, including scripts defined within the repository (e.g., 'npm test').\n
- Sanitization: Absent. The skill assumes project files and scripts are safe to run, allowing a malicious repository to achieve remote code execution during the setup or baseline testing phases.\n- Unverifiable Dependencies & Remote Code Execution (HIGH): The skill triggers the automated installation of dependencies and execution of test suites based on repository content. This can lead to the execution of malicious code contained within pre/post-install scripts or test files in an untrusted project.\n- Dynamic Execution (MEDIUM): The skill dynamically constructs file paths and shell commands using variables derived from the local environment (project name, branch name) and detected toolchains.
Recommendations
- AI detected serious security threats
Audit Metadata