using-git-worktrees
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Detected an indirect prompt injection surface through the processing of untrusted local files.
- Ingestion points: The skill reads configuration preferences from 'CLAUDE.md' via 'grep' to determine directory locations.
- Boundary markers: None present; the skill assumes the content of 'CLAUDE.md' is safe and well-formatted.
- Capability inventory: The skill possesses extensive execution capabilities including 'git worktree add', 'npm install', and various test runners.
- Sanitization: None; the extracted value is interpolated directly into shell variables used for path construction and directory creation, which can lead to command injection if 'CLAUDE.md' contains shell metacharacters.
- [COMMAND_EXECUTION] (HIGH): The skill automatically executes project-specific installation and test commands ('npm install', 'npm test', 'pytest', etc.) based on the presence of manifest files. This allows a malicious repository to achieve arbitrary code execution on the agent's environment during the 'safety verification' and 'setup' phases.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill utilizes package managers ('pip', 'npm', 'cargo') to download and install dependencies. While these are standard tools, their automated use on untrusted repositories facilitates supply chain attacks or execution of malicious post-install scripts.
Recommendations
- AI detected serious security threats
Audit Metadata