worktree
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Command Execution] (LOW): The skill instructs the agent to execute the
gh wt addcommand via the system shell. This is the primary function of the skill but represents a risk if the input parameters are not strictly controlled. - [Indirect Prompt Injection] (LOW): The skill possesses an attack surface where untrusted data (the branch name) is interpolated into a shell command.
- Ingestion points: The
<branch>variable inSKILL.mdis populated from the agent's plan or user input. - Boundary markers: Absent. There are no delimiters surrounding the input or instructions to ignore embedded commands.
- Capability inventory: Execution of shell commands via the GitHub CLI (
gh). - Sanitization: The skill contains a natural language constraint ('branch名にslashは使わないこと'), but no programmatic sanitization or escaping is defined to prevent shell metacharacters (e.g.,
;,|,&) from being executed if they are present in the branch name.
Audit Metadata