worktree-ops
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes output from Git commands (such as branch names and worktree paths) and incorporates them into subsequent agent operations without using boundary markers or sanitization logic.\n
- Ingestion points: Data from
git worktree list --porcelainis used to drive the list and removal workflows inSKILL.md.\n - Boundary markers: The instructions do not define delimiters (e.g., XML tags) to isolate external data from the agent's core instructions.\n
- Capability inventory: The skill performs high-privilege operations including branch deletion (
git branch -D) and forced worktree removal (git worktree remove --force).\n - Sanitization: No validation or escaping is performed on environment-derived variables before they are interpolated into shell commands.\n- [COMMAND_EXECUTION]: Shell commands are constructed by concatenating variables like
<name>and<path>directly into Git commands (e.g.,git worktree add .worktrees/<name>). This is a potential command injection vector if the input contains shell metacharacters such as semicolons, pipes, or backticks.
Audit Metadata