worktree-manager
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- Persistence Mechanisms (MEDIUM): The skill documentation provides instructions to execute
wt config shell install, a command intended to modify shell startup files (such as.bashrcor.zshrc). While the instructions mandate seeking user confirmation before execution, modifying shell profiles is a categorized persistence vector. - Indirect Prompt Injection (LOW): The skill is susceptible to indirect prompt injection because it accepts user-provided branch or worktree names and interpolates them directly into shell commands without sanitization.
- Ingestion points: User-provided
<name>inputs in theSKILL.mdworkflows. - Boundary markers: Absent; the input is concatenated directly into the command string.
- Capability inventory: The skill executes shell commands via
gitandwt, and runs a local installation script (scripts/install_worktrunk.sh). - Sanitization: Absent; there is no logic to escape or validate shell metacharacters within the user input.
- Unverifiable Dependencies & Remote Code Execution (LOW): The skill facilitates the installation of the third-party
worktrunktool using standard package managers (Homebrew, Cargo, Winget). Although these are established registries, the tool and its repository are not part of the explicitly trusted source list. - Command Execution (LOW): The skill invokes a local shell script (
scripts/install_worktrunk.sh) and various Git/Worktrunk commands to perform its operations. The installer script uses standard system utilities to detect the operating system and call appropriate package managers.
Audit Metadata