start
Warn
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local maintenance and setup scripts (e.g.,
done-cleanup.shandstart-worktree.sh) via the bash shell. It also leveragesosascriptto automate the macOS Terminal, executing commands likecdandclaudein new sessions to set up the workspace. - [PROMPT_INJECTION]: The skill is susceptible to command injection because raw user input from the
$ARGUMENTSvariable is interpolated into a single-quoted bash command string. Malicious input containing single quotes could break out of the intended string context to execute unauthorized shell commands on the host system. - [PROMPT_INJECTION]: The skill exhibits an indirect injection surface with the following mandatory evidence:
- Ingestion points: User-provided task descriptions via the
$ARGUMENTSvariable and issue metadata (including branch names) retrieved from Linear MCP tools. - Boundary markers: While data is wrapped in single quotes within shell scripts, there is no escaping of internal quotes or use of specific delimiters to prevent data from being interpreted as instructions.
- Capability inventory: The skill can execute bash scripts, manage git worktrees, modify files in the repository's
.claudedirectory, and automate macOS applications via AppleScript. - Sanitization: No explicit sanitization, validation, or escaping logic is performed on the task description or tool-provided branch names before they are used in high-privilege shell operations.
Audit Metadata