using-git-worktrees
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (LOW): The skill ingests untrusted data from project-local files to determine its execution logic.
- Ingestion points: Reads
CLAUDE.mdfor directory preferences and checks for the existence ofpackage.json,Cargo.toml,requirements.txt, etc., to trigger setup scripts. - Boundary markers: Absent; the skill lacks delimiters or warnings to ignore embedded instructions in these files.
- Capability inventory: Executes subprocess calls for
git,npm,cargo,pip,poetry,go, and various test runners. It also performs file-write operations (modifying.gitignore). - Sanitization: Absent; configuration data from
CLAUDE.mdand project names are interpolated into shell commands. - Command Execution (LOW): The skill automatically executes shell commands (
npm install,cargo build,npm test, etc.) based on the presence of specific files. While these are intended primary functions for development isolation, they can be leveraged to execute malicious scripts defined in a repository's package manifest or test suite. - External Downloads (LOW): The use of package managers like
npm,pip, andcargoinvolves downloading external dependencies from public registries. While these are standard sources, the skill does not verify the integrity or safety of the packages being requested by the local project files.
Audit Metadata