guide-worktree-local-env
Fail
Audited by Gen Agent Trust Hub on Apr 20, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
assets/setup-worktree.mjsis vulnerable to command injection because it executes shell commands using unsanitized branch names provided through CLI arguments. - Evidence: The variable
branchis interpolated directly into shell strings forexecSynccalls in the following instances: execSync(git worktree add ${worktreePath} ${branch}, ...)execSync(git rev-parse --verify ${branch}, ...)execSync(git worktree add -b ${finalBranch} ${worktreePath}, ...)- Risk: An attacker or malicious input could provide a branch name containing shell metacharacters (e.g.,
;,&,|) to execute arbitrary code on the host system with the permissions of the user running the script. - [PROMPT_INJECTION]: The skill architecture creates a surface for indirect prompt injection by processing untrusted data (branch names) and using it to influence privileged system operations.
- Ingestion points: The
--checkout,--create, and--removeCLI flags inassets/setup-worktree.mjsaccept user or agent-provided branch names. - Boundary markers: The script does not use any delimiters or specific instructions to isolate the untrusted input from the surrounding command execution logic.
- Capability inventory: The skill possesses extensive capabilities, including shell command execution (
execSync), process termination (process.kill), and filesystem modifications (symlinkSync,cpSync,writeFileSync). - Sanitization: While the script performs basic character replacement for filesystem paths, it lacks any validation or escaping for the branch names when they are used as arguments in shell commands.
Recommendations
- AI detected serious security threats
Audit Metadata