worktree-setup
Pass
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: SAFECREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill is designed to identify and copy sensitive environment files, including
.env,.env.local, and.env.development, from the main repository to agent worktrees. While intended for local synchronization, this behavior involves the direct handling of project secrets. - [COMMAND_EXECUTION]: The skill generates shell scripts and configurations containing file system operations such as
rsync,mkdir, andcp. It also creates placeholders for installation and execution commands ({INSTALL_CMD},{RUN_CMD}) that are intended to be executed in the agent's environment. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it derives installation and execution commands from untrusted project files like
package.json,Makefile,Cargo.toml, andREADME.md. Malicious instructions embedded in these files could be propagated into the generated setup scripts. - Ingestion points: Project-level configuration and documentation files (e.g.,
package.json,Makefile,README.md). - Boundary markers: None identified; the skill directly interpolates content from these files into command templates.
- Capability inventory: Generation and execution of shell scripts, including directory creation and recursive file copying.
- Sanitization: No validation or sanitization of the commands extracted from project files is performed before they are included in the setup templates.
Audit Metadata