using-git-worktrees
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill reads and interprets instructions from untrusted external files within the project directory.
- Ingestion points: The skill reads directory preferences from
CLAUDE.mdand identifies build/test requirements frompackage.json,requirements.txt,Cargo.toml,pyproject.toml, andgo.mod. - Boundary markers: No boundary markers or isolation techniques are used when processing these files.
- Capability inventory: The skill possesses extensive execution capabilities including shell command execution, file modification (
.gitignore), and network-enabled package managers. - Sanitization: No sanitization is performed on the data ingested from the project files before it influences agent behavior or command execution.
- [Command Execution] (HIGH): The skill automatically executes setup and test suites which can run arbitrary code defined in the repository.
- Evidence: Steps 3 and 4 in
SKILL.mdexplicitly instruct the agent to runnpm install,npm test,cargo build,cargo test,pip install,poetry install, andgo testbased on file detection. - [External Downloads] (MEDIUM): The skill invokes package managers that fetch and execute third-party code from public registries (npm, PyPI, etc.).
- Evidence: Commands like
npm installandpip install -r requirements.txtdownload external dependencies at runtime.
Recommendations
- AI detected serious security threats
Audit Metadata