using-git-worktrees
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill automatically executes shell commands such as
npm install,pip install, andcargo buildbased on the detection of specific files in the repository. This allows any repository to trigger arbitrary command execution on the host system. - [REMOTE_CODE_EXECUTION] (HIGH): By invoking package managers, the skill triggers the download and execution of code from remote registries. Maliciously crafted repository configurations can use pre-install hooks or dependency overrides to gain remote control.
- [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection. (1) Ingestion points: It reads
CLAUDE.mdand build configuration files from the repository. (2) Boundary markers: Absent. (3) Capability inventory: Full subprocess execution for installers and test suites. (4) Sanitization: Absent. Malicious instructions inCLAUDE.mdcould be used to manipulate directory selection or baseline test behavior. - [EXTERNAL_DOWNLOADS] (MEDIUM): The skill automates external downloads from public registries (NPM, PyPI, etc.) as part of its setup process without requiring manual verification of the package manifests.
Recommendations
- AI detected serious security threats
Audit Metadata