create-worktree
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (LOW): The skill automatically executes dependency installation commands such as
npm install,pip install, andcargo buildin the new worktree. These commands can trigger arbitrary code execution via project-defined lifecycle scripts (e.g., post-install hooks inpackage.jsonor code execution duringsetup.pyinvocation) if the repository content is untrusted. - EXTERNAL_DOWNLOADS (LOW): The automated installation process triggers downloads of third-party packages from external registries (npm, PyPI, Crates.io, etc.). This is standard behavior for the tool's purpose but represents the ingestion of external code.
- PROMPT_INJECTION (LOW): The skill ingests untrusted data from branch names and file system metadata.
- Ingestion points: Branch names provided by the user and file names detected in the repository (e.g.,
package.json,go.mod). - Boundary markers: Not explicitly defined for the prompt interpolation of the branch name, though normalization (lowercasing, special character removal) is instructed.
- Capability inventory: Includes file system read/write via git worktree creation and shell execution via package managers.
- Sanitization: Includes normalization logic (converting spaces to dashes, removing special characters) which mitigates basic command injection via branch names, but does not fully prevent indirect injection if the agent is misled by malicious file content.
Audit Metadata