using-git-worktrees
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) because it treats repository content as trusted instructions for environment setup. * Ingestion points: Project manifest files (package.json, Cargo.toml, requirements.txt, pyproject.toml, go.mod) and project test files. * Boundary markers: Absent; the skill does not use delimiters or instruct the agent to ignore instructions embedded in these files. * Capability inventory: Full shell execution capability via package managers (npm, pip, poetry, cargo, go) and test runners (pytest, npm test). * Sanitization: Absent; no validation is performed on the content or scripts defined in the repository before execution.
- [COMMAND_EXECUTION] (MEDIUM): The skill performs broad command execution based on simple file detection. This creates a vector for code execution through standard package manager hooks (e.g., preinstall scripts in package.json) or malicious code within tests that the skill automatically triggers.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill performs unverifiable package installations via npm, pip, and other managers. While standard for development, when triggered automatically on untrusted repositories, this facilitates the installation of malicious dependencies.
Recommendations
- AI detected serious security threats
Audit Metadata