worktree
Warn
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to identify and run "standard install/build commands" found in dependency manifests such as
package.json,requirements.txt, orGemfile. Automatically running scripts from untrusted project files is a high-risk activity as they may contain malicious hooks likepostinstallorprepare. - [DYNAMIC_CONTEXT_INJECTION]: The skill uses the
!command`` syntax to execute environment discovery commands (git rev-parse,git worktree list) at load time. This allows for silent execution of commands when the skill is first accessed by the agent. - [COMMAND_EXECUTION]: The skill constructs shell commands for symlinking (
ln) and relative path calculation (perl) using inputs from$ARGUMENTS. While it provides instructions to quote paths and prevent directory traversal, this reliance on the agent's logic for sanitization creates a surface for command injection. - [DATA_EXFILTRATION]: The skill's core function is to handle files that are typically gitignored, such as
.envfiles, API keys, and configuration secrets. By automating the symlinking of these items, it facilitates the exposure and propagation of sensitive credentials across different local environments. - [INDIRECT_PROMPT_INJECTION]: The skill processes external data from error messages and manifests to determine its actions.
- Ingestion points: User-supplied
$ARGUMENTSand local project files (package.json,requirements.txt). - Boundary markers: The instructions include requirements to canonicalize paths and verify they remain strictly within the project root.
- Capability inventory: Shell execution for
ln,perl, and manifest-defined build scripts. - Sanitization: The instructions explicitly direct the agent to quote all paths used in shell commands.
Audit Metadata