Skills
skills/scientiacapital/skills/worktree-manager/Snyk

worktree-manager

Warn

Audited by Snyk on Mar 27, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.80). The skill explicitly runs GitHub CLI commands to read PR state and metadata from GitHub (see scripts/status.sh and reference/cleanup-operations.md which call gh pr list / gh pr view) and uses that untrusted, user-generated third‑party content to decide and perform actions like auto-cleanup and branch deletion, which can materially influence tool use and next steps.

MEDIUM W013: Attempt to modify system services in skill instructions.

  • Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill explicitly instructs agents to bypass permission checks (using --dangerously-skip-permissions) and performs global filesystem and registry modifications (creating/removing worktrees, copying ~/.claude, updating ~/.claude/worktree-registry.json, running hooks that can rm -rf paths and install dependencies), enabling autonomous, potentially destructive changes to the host.

Issues (2)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W013
MEDIUM

Attempt to modify system services in skill instructions.

Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 27, 2026, 07:58 PM
Issues
2