using-git-worktrees
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The skill automatically executes package installation and test commands based on files detected in the repository.
- Evidence: The 'Run Project Setup' and 'Verify Clean Baseline' sections in
SKILL.mdinvokenpm install,pip install -r requirements.txt,poetry install,cargo build,npm test,cargo test,pytest, andgo testwithout a human-in-the-loop confirmation. - Risk: An attacker can include malicious
preinstallorpostinstallscripts inpackage.json, or embed malicious code within the test suite that executes when the agent attempts to verify the 'clean' baseline. - [COMMAND_EXECUTION] (HIGH): The skill performs shell-level directory creation and navigation based on variables derived from the repository environment.
- Evidence:
git worktree add "$path" -b "$BRANCH_NAME"and subsequentcd "$path"commands. - [EXTERNAL_DOWNLOADS] (MEDIUM): The skill initiates downloads of external dependencies from public registries.
- Evidence: Execution of
npm install,pip install, andgo mod downloadtriggers network requests to external package repositories. - [PROMPT_INJECTION] (MEDIUM): The skill parses
CLAUDE.mdfor instructional preferences, creating a surface for indirect prompt injection. - Evidence:
grep -i "worktree.*director" CLAUDE.mdis used to determine directory selection logic from an untrusted repository file.
Recommendations
- AI detected serious security threats
Audit Metadata