workspace-isolation
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill runs multiple shell commands including 'git worktree', 'npm install', and various test runners (pytest, cargo test). This grants the agent the ability to execute code defined within a project's configuration, which is a risk when working with untrusted repositories.
- [EXTERNAL_DOWNLOADS] (LOW): Triggers automated package installations from external registries (npm, PyPI, etc.) upon detecting specific files like package.json or requirements.txt. The skill does not verify the integrity or safety of these external dependencies.
- [PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8). 1. Ingestion points: Reads 'CLAUDE.md' for configuration and processes output from shell commands. 2. Boundary markers: Absent; there are no delimiters separating data from instructions. 3. Capability inventory: Includes file system modification (.gitignore), directory creation, and arbitrary command execution via package managers. 4. Sanitization: None; ingested text is used to drive logic without escaping or validation.
Audit Metadata