@gw-git-worktree-workflows
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The documentation explicitly describes and encourages the automatic copying of sensitive environment files and secrets (e.g., '.env', '.env.local', and 'secrets/' folders) across worktree directories using the 'gw init --auto-copy-files' and 'gw sync' commands.
- [COMMAND_EXECUTION]: The troubleshooting section suggests using 'sudo' to resolve permission-related issues during worktree creation, which executes commands with root privileges.
- [COMMAND_EXECUTION]: The 'gw install-shell' command modifies the user's shell profile files (such as '.bashrc' or '.zshrc') to enable directory navigation features, which acts as a persistence mechanism within the shell environment.
- [COMMAND_EXECUTION]: Development instructions for the 'gw' tool mention using 'deno run --allow-all', which grants full system permissions (file, network, and environment access) to the process.
- [PROMPT_INJECTION]: The 'gw pr' command ingests external data from GitHub pull requests, including branch names and PR descriptions, into the local environment. Evidence chain: 1. Ingestion point: Pull request metadata fetched via 'gh' CLI. 2. Boundary markers: Absent. 3. Capability inventory: Shell command execution and file system modification. 4. Sanitization: Absent. This creates an attack surface for indirect prompt injection from untrusted external content.
Audit Metadata