ralph-merge-worktrees
Warn
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill extracts the branchName and feature-name from local prd.json files and uses them to construct shell commands such as git diff main... and git worktree remove .claude/worktrees/ralph/. Without proper sanitization, this allows for command injection if a branch or worktree is named maliciously.\n- [PROMPT_INJECTION]: The skill processes data from multiple external project files which constitutes an indirect prompt injection surface.\n
- Ingestion points: Metadata files (prd.json) located in worktree directories at .claude/worktrees/ralph/*/scripts/ralph/prd.json.\n
- Boundary markers: No delimiters or ignore instructions are used when reading these files.\n
- Capability inventory: The skill has access to shell execution for git commands and directory removal, and can call other agent skills like /squash.\n
- Sanitization: No input validation or escaping is performed on the data read from the files before it is used in command strings.
Audit Metadata