git-worktree
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): Potential shell command injection in terminal automation scripts.- Evidence (references/functions.sh): The
wtfunction takes a user-provided name and passes it to the_wt_iterm2_tabfunction.- Evidence (references/functions.sh): Inside_wt_iterm2_tab, an AppleScript is executed that useswrite text "cd '" & worktreePath & "' && clear". If the worktree name (and thus the path) contains a single quote, it can break the shell string and execute arbitrary commands in the new iTerm2 tab context.- Evidence (references/iterm2-config.md): Similar unsafe interpolation patterns exist in the AppleScript code snippets provided for iTerm2 profiles and scripts, such aswrite text "cd '" & worktreePath & "' && clear && echo '[WORKTREE] " & worktreeName & " ready'".
Audit Metadata