worktree-task
Fail
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill implements an unsafe configuration parsing mechanism in 'scripts/providers/tmux-agent.sh'. The function 'provider_parse_command_spec' uses the 'eval' command on strings retrieved from repository-controlled configuration files ('.worktree-task/config.env'). An attacker can craft a malicious configuration file that executes arbitrary shell commands when the skill is invoked in that repository.
- [COMMAND_EXECUTION]: The skill frequently executes shell commands to interact with 'git' and 'tmux'. While many variables are shell-quoted, the reliance on 'eval' for parsing provider commands creates a vulnerability that bypasses these protections.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted 'task prompts' and incorporates them into command executions without adequate sanitization or boundary markers. * Ingestion points: Task prompts are read from 'stdin' or a specified '--prompt-file' in 'scripts/lib/core.sh'. * Boundary markers: There are no delimiters or instructions to ignore embedded commands within the prompt content. * Capability inventory: The skill can execute git commands, manage tmux sessions, and launch arbitrary agent CLI tools defined in configuration. * Sanitization: No escaping or validation is performed on the prompt content before it is passed to sub-processes.
Recommendations
- AI detected serious security threats
Audit Metadata