git-worktrees-usage

[Skill Scanner] Credential file access detected The instructions describe a reasonable and useful workflow to create isolated git worktrees and prepare them for development. There are no clear signs of deliberate malicious code or obfuscated payloads in the provided content. The main security concerns are standard supply-chain and user-impact risks: automatic execution of package manager installs/builds (which fetch and execute third-party code), automatic modification and committing of repository state (.gitignore), lack of explicit integrity/lockfile verification, and absence of strong, explicit user prompts/consent for high-impact operations. Recommend: require explicit user confirmation before committing to the repo and before running networked installs/builds; prefer using lockfiles or checksum verification; run installs in isolated sandboxes or containers when possible; and log/preview any proposed git changes for user review prior to committing. LLM verification: The skill's behavior is consistent with a workspace-management utility: selecting/creating worktrees, verifying git ignore status, running language-specific setup, and running tests. It does not contain explicit backdoors, obfuscated payloads, or hardcoded network exfiltration endpoints. The primary risks are operational: automatic repository mutation (committing .gitignore) and automated execution of unpinned dependency installers and test suites which can execute arbitrary code (supply-chain r