worktrees
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Indirect Prompt Injection vulnerability. The skill ingests untrusted data from story and task descriptions to name branches and populate Pull Request metadata. Evidence: 1. Ingestion points: Story and Task IDs/names (SKILL.md). 2. Boundary markers: Absent. 3. Capability inventory: Full shell access for git and gh commands. 4. Sanitization: Absent; variable content is directly interpolated into commands like 'git merge story-12-user-auth'. An attacker could craft a story name containing shell metacharacters (e.g., 'story; rm -rf /') to execute arbitrary commands.
- [COMMAND_EXECUTION] (HIGH): The skill automatically executes package managers (npm, pip, cargo, etc.) upon worktree creation. This creates a risk of Remote Code Execution (RCE) if the skill processes a repository with malicious lockfiles or build scripts (e.g., package.json postinstall or Cargo.toml build scripts).
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill triggers downloads from external registries (npm, PyPI, crates.io, etc.) based on the presence of lockfiles. While these are standard registries, the automated nature of the installation without human verification increases the risk of dependency confusion and malicious dependency exploitation.
Recommendations
- AI detected serious security threats
Audit Metadata