using-git-worktrees
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Unverifiable Dependencies & Remote Code Execution (MEDIUM): The skill automatically detects and runs setup commands (npm install, cargo build, pip install, poetry install, go mod download) and test suites (npm test, cargo test, pytest, go test). These operations execute code defined within the repository's configuration files. In an untrusted project, these files could contain malicious pre/post-install scripts or test code that compromises the agent's environment.
- Indirect Prompt Injection (LOW): The skill ingests data from a file named
AGENTS.mdto determine the worktree directory path without sanitization or boundary markers. - Ingestion points:
AGENTS.mdfile via thegrepcommand. - Boundary markers: None identified; the skill directly uses the output of the grep command to set internal variables.
- Capability inventory: The skill has capabilities to execute shell commands (
git), install packages (npm,pip), and commit changes to the repository. - Sanitization: No sanitization or path validation is performed on the input retrieved from
AGENTS.mdbefore it is used in directory selection. - Data Exposure & Exfiltration (LOW): The skill performs network operations via standard package managers to download dependencies. While these target trusted registries (npm, PyPI, crates.io), they are executed automatically upon workspace setup. Per [TRUST-SCOPE-RULE], the download themselves are considered low risk, but the automated execution remains a medium-level concern.
Audit Metadata