git-worktrees

[Skill Scanner] Credential file access detected BENIGN but with moderate supply-chain/runtime risks: The skill's described behavior is consistent with its purpose of creating isolated git worktrees. There are no signs of malicious intent, obfuscation, external data exfiltration, or suspicious network endpoints. Main security concerns are (1) executing package manager installs and tests which will fetch and execute third-party code and repository code (standard supply-chain risk), and (2) automatic commits to .gitignore which modify repository state and should require explicit user consent. Use in trusted environments or with user confirmation is recommended. LLM verification: Functionally the skill is coherent and its capabilities align with its stated purpose (creating safe, isolated git worktrees). The main security concerns are supply-chain and host-impact risks from running package manager install/build/test commands automatically (these fetch and execute remote code and may run install-time scripts), and the recommendation to automatically add and commit .gitignore changes to the repository without an explicit consent step. These make the skill potentially risky