worktrees
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill is designed to automatically execute arbitrary shell commands or scripts specified in the .cursor/worktrees.json configuration file found within the target repository. This allows any repository to run arbitrary code on the user's machine without explicit verification of the commands being executed. \n- [CREDENTIALS_UNSAFE]: The workflow includes logic to search for and copy all files matching .env* from the main project to the worktree directory. This automated handling of sensitive credential files increases the attack surface for secret exposure. \n- [PROMPT_INJECTION]: The skill implements a pattern vulnerable to indirect prompt injection. By following instructions found in the repository's data (the JSON config), the agent's behavior is controlled by external, potentially untrusted content. \n
- Ingestion points: .cursor/worktrees.json (File lookup logic). \n
- Boundary markers: None. The skill executes the strings found in the JSON file directly. \n
- Capability inventory: Sequential bash execution, file system access (cp, mkdir), and git operations. \n
- Sanitization: None; instructions are executed as provided in the JSON file. \n- [EXTERNAL_DOWNLOADS]: The skill triggers automated dependency installation using various package managers (npm, pip, cargo, etc.) based on the presence of standard lockfiles in the repository.
Recommendations
- AI detected serious security threats
Audit Metadata