worktree-manager
Fail
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script 'scripts/cleanup-worktree.sh' uses 'eval echo "$WORKTREE_PATH"' to process user-supplied input. This is a dangerous pattern that allows arbitrary command execution if the path contains shell metacharacters like '$(id)' or '; command ;'. An attacker could exploit this by influencing the branch or worktree names processed by the agent.
- [DATA_EXFILTRATION]: The skill accesses and manages sensitive environment files, specifically '~/eon/.env.alpha-forge', which are used to store credentials such as API keys and database host details. Accessing these files represents a high-risk data exposure, as the contents are made available to the agent's execution environment.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted user descriptions to derive slugs for file paths and branch names.
- Ingestion points: User input for natural language worktree descriptions defined in 'SKILL.md'.
- Boundary markers: Includes instructions for the agent to sanitize input via slug derivation rules (e.g., lowercase conversion, removal of filler words).
- Capability inventory: Subprocess calls for 'git worktree' management and file-write operations for creating '.envrc' files across all scripts.
- Sanitization: Uses natural language instructions for the agent to sanitize input, but no programmatic validation or escaping exists within the bash scripts themselves.
- [COMMAND_EXECUTION]: The 'create-worktree.sh' script and 'SKILL.md' interpolate user-controlled variables into shell commands. Without strict programmatic validation or proper shell escaping, this creates a surface for argument or command injection if the agent fails to strictly follow derivation rules.
Recommendations
- AI detected serious security threats
Audit Metadata