workspace-isolation

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] This skill's stated purpose (use Git worktrees to create isolated workspaces, verify .gitignore, auto-run project setup and tests) matches its described capabilities. There is no explicit malicious code or obfuscation. However, the automation choices present notable supply-chain and repository-modification risks: automatically editing/committing .gitignore and automatically running dependency installs and test/build commands can execute untrusted code and mutate repository history without clear user confirmation. Additionally, lack of sanitization for branch/location inputs is a potential path/creation risk. Overall, the artifact appears operationally useful but carries moderate security risk due to automation of actions that commonly require user oversight. Recommend adding explicit user confirmation before committing changes and before running installs/tests, input sanitization for branch/location, and optional sandboxing or dry-run modes. LLM verification: BENIGN overall with a clear, purpose-aligned workflow for isolated Git worktrees and automated environment setup. The approach prioritizes repository safety (gitignore checks) and validation via tests. Potential risks are mostly around automatic .gitignore edits and reliance on CLAUDE.md for preferences without explicit user prompts in some contexts; these should be surfaced to users. No credential leakage or external data flows are evident in the executable content.