Skills
skills/julianobarbosa/claude-code-skills/using-git-worktrees/Gen Agent Trust Hub

using-git-worktrees

Fail

Audited by Gen Agent Trust Hub on May 27, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill provides instructions to utilize the --dangerously-skip-permissions flag when invoking Claude Code. This is a significant security concern as it explicitly bypasses the permission-based guardrails designed to prevent unauthorized or unintended actions by the agent.
  • [REMOTE_CODE_EXECUTION]: Both the WORKFLOW.md and the scripts/setup-worktree.sh script contain logic to automatically perform package installation and project setup (e.g., npm install, pip install, uv sync, cargo build, go mod download) immediately after checking out a new branch into a worktree. This behavior can be exploited to execute malicious code contained within a project's dependency manifests or build scripts if the agent is directed to create a worktree for an untrusted branch or Pull Request.
  • [COMMAND_EXECUTION]: The skill utilizes tmux send-keys to dispatch shell commands to background terminal windows. This execution model allows commands to be run outside of the user's primary monitoring view, which can be leveraged to hide suspicious activity from the active session.
  • [COMMAND_EXECUTION]: The TASK_COMMAND variable in setup-worktree.sh and the core workflow takes arbitrary string input that is directly executed via the shell. This represents a command injection vulnerability if the task description or command string originates from an untrusted source and is not strictly validated before being passed to tmux send-keys.
  • [PROMPT_INJECTION]: The skill ingests data from external files like sprint-status.yaml and epics.md to orchestrate parallel work. Since these files can be modified by any contributor to a repository, they represent an indirect prompt injection surface where malicious instructions could be embedded to manipulate the agent's worktree creation or command dispatching logic.
  • Ingestion points: sprint-status.yaml and epics.md in the project root.
  • Boundary markers: Absent. The agent is instructed to read and load definitions directly into its context.
  • Capability inventory: git worktree add, tmux new-window, tmux send-keys (arbitrary shell execution), and automatic package installation via scripts/setup-worktree.sh.
  • Sanitization: Absent. Data parsed from these files is used to determine execution parameters like WORKTREE_NAME, BRANCH_NAME, and TASK_COMMAND without verification.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 27, 2026, 09:30 AM
Security Audit — agent-trust-hub — using-git-worktrees