git-worktree
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The scripts pass user-supplied arguments like REPO_URL and BRANCH_NAME directly to git commands. While variables are double-quoted to prevent shell word-splitting, they are not validated for leading dashes, which allows an attacker to inject command-line flags such as --upload-pack or --template to execute arbitrary code during the clone process.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill's primary function is to download external repository content. This introduces a surface for Indirect Prompt Injection where malicious content in the repository or its metadata could influence the agent's reasoning.
- [REMOTE_CODE_EXECUTION] (MEDIUM): All scripts execute an external dependency at a relative path (../../workspace-manager/scripts/get_active_workspace.sh). This creates a vulnerability where a compromised neighboring directory can hijack the skill's execution flow.
- [PROMPT_INJECTION] (HIGH): (Category 8) The skill facilitates Indirect Prompt Injection through untrusted data ingestion. Ingestion points: scripts/clone_repo.sh via REPO_URL and repository content. Boundary markers: Absent. Capability inventory: git clone, git worktree add, mkdir -p. Sanitization: Absent. Input strings are used as CLI arguments without validation against protocol schemes or flag prefixes.
Recommendations
- AI detected serious security threats
Audit Metadata