git-worktrees
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [Prompt Injection] (HIGH): The skill describes an Indirect Prompt Injection vector where an agent is instructed to fetch and checkout code from external, untrusted Pull Requests (e.g., git fetch origin pull/123/head). Evidence: 1. Ingestion point: git fetch in SKILL.md. 2. Boundary markers: Absent. 3. Capability inventory: npm install, npm test, git worktree add in SKILL.md. 4. Sanitization: Absent.
- [Remote Code Execution] (HIGH): The skill explicitly suggests running 'npm install' and 'npm test' on code checked out from external PRs. This allows for arbitrary code execution via package.json lifecycle scripts (preinstall/postinstall) or malicious test suites.
- [Command Execution] (MEDIUM): The skill utilizes direct shell command execution for setting up workspaces and copying environment files (cp ../.env .env.local) without performing validation or integrity checks on the source branch.
- [External Downloads] (LOW): The skill performs network operations via 'git fetch' to retrieve external data, which is a necessary function but serves as the entry point for the injection attack.
Recommendations
- AI detected serious security threats
Audit Metadata