recollect-worktree
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Data Exposure & Exfiltration (LOW): The script scripts/worktree-manager.sh accesses and copies .env.local to newly created worktree directories. While these files remain local, they contain sensitive secrets such as Supabase or Cloudflare API keys. The risk is minimized as the data stays within the local filesystem.
- Unverifiable Dependencies & Remote Code Execution (LOW): The skill executes pnpm install automatically in the create_worktree function. This installs external packages and may trigger malicious lifecycle scripts if the branch being reviewed contains a compromised package.json. This is a common development risk that is automated by this skill.
- Indirect Prompt Injection (LOW): The skill is designed for PR reviews (/review command), creating an attack surface for indirect injection. [1] Ingestion points: Branch configuration files (package.json) and branch content from untrusted PRs. [2] Boundary markers: Absent. [3] Capability inventory: File system access (cp) and command execution (pnpm install). [4] Sanitization: Absent; the script does not validate the safety of the repository content before performing installations.
Audit Metadata