worktree-manager

The script is a convenience launcher that itself contains no obvious backdoor or exfiltration code, but it executes an externally-configurable command (CLAUDE_CMD) without sanitization. If config.json or other inputs controlling CLAUDE_CMD are attacker-controlled, this leads to arbitrary command execution on the developer’s machine. Therefore the code is not directly malicious, but it creates a moderate-to-high risk execution sink and should be treated cautiously.

BENIGN with medium security risk. The skill’s capabilities largely match its stated worktree-management purpose, and installs/data flows are mostly local and official. The main concerns are the mandated use of `--dangerously-skip-permissions`, propagation of `.claude/` hooks/permissions, and copying env files into multiple worktrees, which broaden impact if an agent or hook misbehaves.