git-worktree
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill instructs the agent to execute multiple shell commands including
git,basename, and criticallyrm -rf. These commands are constructed using variables derived from external data. - [PROMPT_INJECTION] (HIGH): Vulnerable to Indirect Prompt Injection (Category 8). The skill processes branch names from remote references (
origin/<branch-name>) and user input, which are then interpolated directly into shell commands. An attacker-controlled branch name containing shell metacharacters (e.g.,;,&,|) could lead to arbitrary code execution. - Ingestion points: Branch names from remote repository metadata (via
git fetch) and user input provided to the agent. - Boundary markers: None defined; instructions suggest direct interpolation into shell strings.
- Capability inventory: Shell command execution (
git,rm -rf,basename,cd) and file system manipulation. - Sanitization: No sanitization, escaping, or validation logic is specified for branch names or project paths.
- [DATA_EXPOSURE] (LOW): The skill lists active worktrees, paths, and commit messages. While intended for navigation, this could expose project structures or internal commit details to an LLM context without explicit user consent for each item.
Recommendations
- AI detected serious security threats
Audit Metadata