Skills
skills/vineethsoma/agent-packages/git-worktree-workflow/Gen Agent Trust Hub

git-worktree-workflow

Warn

Audited by Gen Agent Trust Hub on Feb 21, 2026

Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
  • COMMAND_EXECUTION (MEDIUM): Vulnerability in scripts/worktree-merge.sh using eval on unvalidated input. \n
  • Description: The script constructs a MERGE_CMD string using the STORY_ID argument (which forms BRANCH_NAME) and executes it via eval. This allows an attacker to perform command injection by providing a STORY_ID containing shell metacharacters (e.g., ;, |, &, or backticks). \n
  • Evidence: Line 140 in scripts/worktree-merge.sh contains eval \"$MERGE_CMD\", where MERGE_CMD includes the unvalidated BRANCH_NAME variable. \n
  • Risk Context: In an AI agent environment, if an agent is directed to process a story ID from an untrusted source (like a PR description or external task tracker) and passes it to this script, it could result in arbitrary code execution on the host machine.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 21, 2026, 04:24 PM