using-git-worktrees
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill processes project-level configuration files which are untrusted external data that can influence agent behavior and code execution. • Ingestion points: AGENTS.md, Justfile, .mise.toml, package.json, Cargo.toml, requirements.txt, pyproject.toml, go.mod. • Boundary markers: Absent. No verification or sandboxing of repository-provided scripts. • Capability inventory: The skill has the capability to run arbitrary shell commands via npm, pip, cargo, and just. • Sanitization: Absent. The skill directly executes found commands.
- [Remote Code Execution] (HIGH): The skill performs automatic execution of commands defined in project files. • Evidence: The script automatically runs
just setup,npm install, andnpm testbased on the presence of local files. A malicious actor could populate these files with harmful commands that execute automatically when an agent attempts to create a worktree. - [Command Execution] (HIGH): The skill invokes system-level package managers and build tools with high-privilege access to the project directory.
Recommendations
- AI detected serious security threats
Audit Metadata