using-git-worktrees
Pass
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill automatically triggers package managers including
npm,pip,poetry,go, andcargoto fetch and install dependencies from well-known public registries when relevant configuration files (e.g.,package.json,requirements.txt) are detected. - [COMMAND_EXECUTION]: The skill executes multiple shell-based commands for environment setup, including
git worktree addfor workspace creation,git commitfor persisting.gitignoreupdates, and arbitrary test runners such asnpm test,cargo test,pytest, andgo testto verify the baseline state of the worktree. - [PROMPT_INJECTION]: The skill identifies a potential surface for indirect prompt injection by extracting configuration preferences from the
CLAUDE.mdfile usinggrep. If an attacker provides a repository with a maliciously craftedCLAUDE.md, they could attempt to influence the file paths or command parameters used by the agent during worktree setup. - Ingestion points: The
CLAUDE.mdfile via the commandgrep -i "worktree.*director" CLAUDE.md. - Boundary markers: Absent; there are no delimiters or instructions provided to the agent to disregard instructions embedded within the configuration file.
- Capability inventory: The skill possesses the capability to modify the file system, alter repository history, download external code via package managers, and execute project-defined scripts and binaries.
- Sanitization: No validation or sanitization logic is present to verify the integrity or safety of the directory paths or strings extracted from the configuration file before they are incorporated into subsequent shell operations.
Audit Metadata