git-worktree
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill constructs shell commands using unvalidated strings provided by the user (e.g., [branch_name], [worktree_path]). This creates a command injection surface where a malicious input could execute arbitrary system commands.
- EXTERNAL_DOWNLOADS (MEDIUM): The skill includes a 'pnpm install' step which downloads and executes third-party code from an external registry. Since the skill does not pin or verify the integrity of the packages being installed, it is susceptible to supply chain attacks.
- CREDENTIALS_UNSAFE (LOW): The skill explicitly instructs the agent to copy
.envfiles and SQLite databases between directories. While necessary for some development workflows, it promotes the proliferation of plaintext secrets and sensitive data across the file system. - PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection because it ingests untrusted user identifiers and interpolates them into high-privilege capabilities.
- Ingestion points: [agent-name], [branch_name], and [worktree_path] variables defined in SKILL.md.
- Boundary markers: Absent from the bash scripts and instructions.
- Capability inventory: includes
git,cp,mkdir, andpnpmin SKILL.md. - Sanitization: No input validation or escaping is present for the user-supplied variables.
Audit Metadata