worktree
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of the
Bashtool to execute git commands and a local helper script (symlink-gitignored.sh). These operations are core to the skill's functionality but increase the attack surface if input is not sanitized. - [DATA_EXFILTRATION]: While no external network exfiltration is detected, the
symlink-gitignored.shscript specifically targets.envfiles and other gitignored configuration files for symlinking. This results in the exposure of sensitive credentials to new directories on the local filesystem. - [PROMPT_INJECTION]: The skill uses user-provided arguments to derive branch names. While it includes a step to 'show the derived name,' it lacks strict validation against shell metacharacters in the input.
- [INDIRECT_PROMPT_INJECTION]: The skill is susceptible to indirect injection via malicious repository content.
- Ingestion points: The skill reads external data from
git branchandgit ls-files(file and directory names) to automate worktree setup and symlinking. - Boundary markers: There are no boundary markers or instructions to ignore embedded commands within the processed file metadata or repository state.
- Capability inventory: The skill possesses the capability to execute shell commands, create symbolic links, and modify git configuration files (
.git/info/exclude). - Sanitization: The bash script contains a vulnerability in its loop handling (
for entry in $TOP_LEVEL_IGNORED; do), where filenames containing spaces, newlines, or leading dashes could lead to unintended command execution or file manipulation if a repository is crafted maliciously.
Audit Metadata