git-worktree
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill includes functionality to automatically discover and copy sensitive environment files (such as .env, .env.local, and .env.test) from the repository root into newly created worktree directories. This increases the local exposure surface of secrets.
- Evidence: In
scripts/worktree-manager.sh, thecopy_env_filesfunction iterates through all files matching.env*and duplicates them to the target worktree path. - [COMMAND_EXECUTION]: The script executes multiple shell-based Git operations using variables for branch names and paths.
- Evidence: The
create_worktree,switch_worktree, andcleanup_worktreesfunctions inscripts/worktree-manager.shinterpolate variables into commands likegit worktree add,git checkout, andgit worktree remove. - [PROMPT_INJECTION]: The skill has an indirect prompt injection surface because it ingests untrusted branch names and uses them in shell commands without sanitization beyond basic quoting.
- Ingestion points:
branch_nameandfrom_brancharguments inscripts/worktree-manager.sh. - Boundary markers: Absent.
- Capability inventory:
git worktree add,git checkout,git pull, andgit worktree removeinscripts/worktree-manager.sh. - Sanitization: Absent; the script relies only on double-quoting variables which does not prevent all forms of argument injection.
Audit Metadata