worktree-fleet
Warn
Audited by Gen Agent Trust Hub on Apr 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill constructs shell commands by concatenating strings from external configuration files without sufficient sanitization. In
lib/worker-spawn.sh, thebuild_inner_cmdfunction iterates over theextra_exportsargument and appends it directly to a command string. Inlaunch.sh, this argument includes thebranchname fromfleet.json. If this value contains shell metacharacters (e.g.,;,&&), it could lead to arbitrary command execution when the resulting string is executed viabash -cinside a tmux session. - [REMOTE_CODE_EXECUTION]: The skill's primary function is to spawn sub-agents using
claude -porcodex exec. For Claude workers, it uses the--dangerously-skip-permissionsflag, which bypasses standard human-in-the-loop permission prompts for tool execution. This allows the sub-agents to perform operations with reduced oversight. - [COMMAND_EXECUTION]: The
cleanup.shscript employs broad process termination logic. It usespgrep -fwith theFLEET_ROOTpath to identify and kill processes. If theFLEET_ROOTpoints to a common or root-level directory, this could result in the unintended termination of unrelated system processes matching the string. - [COMMAND_EXECUTION]: The
cleanup.shscript executesrm -rfon paths derived from the worktree directory structure. While intended for cleaning up the fleet, the lack of rigorous path validation before execution poses a risk of unintended file deletion if the fleet configuration is misconfigured or maliciously crafted.
Audit Metadata