using-git-worktrees
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The skill automatically runs package manager commands (npm install, pip install, poetry install, cargo build, go mod download) and test runners (npm test, pytest, cargo test, go test) based on the presence of project files. This allows an attacker-controlled repository to execute arbitrary code on the user's system during the setup phase.
- [INDIRECT_PROMPT_INJECTION] (HIGH): The skill ingests untrusted data from the repository, specifically searching CLAUDE.md via grep to determine directory locations. It lacks boundary markers and sanitization, allowing malicious metadata to influence the agent's file system operations and command execution. Evidence: 1. Ingestion points: CLAUDE.md, project manifest files. 2. Boundary markers: Absent. 3. Capability inventory: Full shell/subprocess execution for multiple package managers and test frameworks. 4. Sanitization: Absent.
- [COMMAND_EXECUTION] (MEDIUM): Executes shell commands to modify .gitignore and manage git worktrees, including writing to the user's home directory (~/.config/superpowers/).
- [EXTERNAL_DOWNLOADS] (MEDIUM): Triggers downloads from public registries (npm, PyPI, etc.) without verifying the integrity of the source repository.
Recommendations
- AI detected serious security threats
Audit Metadata