git-worktree
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill possesses a high-risk vulnerability surface by combining shell execution capabilities with the processing of untrusted external content. (1) Ingestion points: Git branch names and directory paths passed to the
git worktreecommand (as described in SKILL.md). (2) Boundary markers: Absent. No delimiters or 'ignore' instructions are provided to isolate untrusted branch names. (3) Capability inventory: Shell command execution via thegitbinary, which can be leveraged for shell injection or to trigger malicious git hooks. (4) Sanitization: Absent. No logic is provided to validate or escape inputs before they are interpolated into commands. - [Command Execution] (MEDIUM): The skill explicitly instructs the agent to run shell commands (
git worktree add,git worktree list,git worktree remove) with variable parameters. This introduces a risk of command injection if the agent uses inputs containing shell metacharacters provided by an external actor.
Recommendations
- AI detected serious security threats
Audit Metadata