Skills
skills/onsager-ai/dev-skills/worktree-devproxy/Gen Agent Trust Hub

worktree-devproxy

Pass

Audited by Gen Agent Trust Hub on Jun 12, 2026

Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes shell scripts (scripts/wt, scripts/devproxy-route) to automate system-level tasks.
  • The scripts/wt utility executes direnv allow and direnv exec inside newly created Git worktrees. This behavior automatically authorizes the execution of .envrc files found in the branch, bypassing standard manual security checks.
  • The scripts invoke docker compose and docker run to manage containerized services and perform file ownership adjustments on the host system.
  • A port-checking function in SKILL.md uses /dev/tcp/ bash syntax for network socket testing, which is a common method for determining port availability but involves low-level network interaction.
  • [REMOTE_CODE_EXECUTION]: The skill facilitates the execution of configuration and code found within external Git branches.
  • The wt new command creates a worktree and immediately runs docker compose up --build, which executes the docker-compose.yml and any build instructions (such as Dockerfiles) provided in the repository branch.
  • The automated direnv integration allows for the execution of arbitrary shell commands defined in the environment configuration of the repository being processed.
  • [EXTERNAL_DOWNLOADS]: The configuration references and downloads the traefik:v3 image from Docker Hub, which is a well-known container registry.
  • [PROMPT_INJECTION]: The skill's workflow creates an attack surface for indirect injection where untrusted repository data influences system execution.
  • Ingestion points: Git branch contents, specifically .envrc, docker-compose.yml, and Dockerfile files processed during worktree creation in scripts/wt.
  • Boundary markers: Absent. The script explicitly automates the direnv allow step, which is designed as a manual security boundary for environment configurations.
  • Capability inventory: Subprocess execution of docker, git, and direnv within the host environment.
  • Sanitization: While branch names are sanitized to prevent directory traversal or basic shell injection in filenames, the actual contents of the configuration files within the branch are executed without validation or isolation.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 12, 2026, 10:41 PM
Security Audit — agent-trust-hub — worktree-devproxy