worktree
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill instructs the agent to fetch and execute external, untrusted content from Pull Requests.
- Ingestion points:
git fetch origin pull/...downloads untrusted code into the local environment (SKILL.md). - Boundary markers: None. There are no instructions to verify the content of the PR before execution.
- Capability inventory: The skill suggests running
npm installandnpm teston this untrusted code, which can trigger arbitrary code execution via npm lifecycle scripts (postinstall, etc.). - Sanitization: Absent. No validation of
package.jsonor source code is suggested before execution. - [Command Execution] (MEDIUM): The skill uses shell scripts to automate worktree management, which includes directory traversal (
../${PWD##*/}-$FEATURE) and iteration over paths returned by git. - While standard for this context, an agent executing these scripts on a compromised repository could be led to manipulate files outside the intended project scope.
Recommendations
- AI detected serious security threats
Audit Metadata