git-worktrees
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill automatically executes environment setup and test baseline commands (e.g.,
npm install,npm test,pip install,cargo build) based on files detected in the project root. This is a standard developer workflow, but it allows a repository to trigger arbitrary command execution via post-install hooks or test scripts. Severity is reduced to LOW as this is the primary purpose of the skill.\n- [EXTERNAL_DOWNLOADS] (LOW): Triggers external package downloads through official package managers. This behavior is expected for workspace setup but involves interacting with external registries based on repository-defined dependencies.\n- [PROMPT_INJECTION] (LOW): The skill is susceptible to indirect prompt injection via theCLAUDE.mdfile, which it uses to determine configuration preferences without validation.\n - Ingestion points: The
CLAUDE.mdfile is read viagrepto find directory preferences.\n - Boundary markers: None; information retrieved from the repository files is used directly in shell commands.\n
- Capability inventory: The skill can execute
git worktree,npm,cargo,pip,poetry, andgocommands, and can modify the repository's.gitignoreand commit changes.\n - Sanitization: No sanitization or escaping is performed on the data extracted from
CLAUDE.mdor branch names before they are interpolated into shell commands (e.g.,path="$LOCATION/$BRANCH_NAME").
Audit Metadata