worktree
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill operates as a dispatcher that ingests untrusted user input from task arguments and referenced markdown files to generate prompts for downstream worktree agents. This design pattern creates a surface for indirect prompt injection.
- Ingestion points: Data enters the system via the $ARGUMENTS variable and by reading external markdown files (e.g., plans or specs) specified by the user.
- Boundary markers: The skill uses shell-level delimiters ('EOF') to safely write prompt files, but it does not include instructional boundaries or "ignore embedded instructions" warnings within the generated prompts to prevent downstream agents from following malicious instructions hidden in the task descriptions.
- Capability inventory: The skill has access to the Bash and Write tools, allowing it to execute the workmux command and create files on the local system.
- Sanitization: No sanitization or validation of user-provided content is performed before it is interpolated into the prompts for sub-agents.
- [COMMAND_EXECUTION]: The skill utilizes the Bash tool to execute local shell commands, including mktemp for temporary file creation and the workmux CLI for managing git worktrees. It dynamically constructs command strings using user-derived task names and descriptions.
Audit Metadata