worktree
Warn
Audited by Gen Agent Trust Hub on Jun 15, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes bash scripts to perform git operations, including
git worktree add,git fetch, andgit commit. It uses placeholders like<sanitized-name>and<new-branch-name>for user input, which creates a significant surface for shell command injection if the agent fails to perform rigorous sanitization before code substitution. - [COMMAND_EXECUTION]: The skill includes logic to automatically modify the project's
.gitignorefile and perform agit committo the repository. While the skill description notes that user confirmation should be required, these are automated write operations that modify the project's permanent history. - [EXTERNAL_DOWNLOADS]: The skill can perform network operations via
git fetch origin <base>when the--fetchflag is used, which communicates with external git hosting providers. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection via user-supplied branch or worktree names that could attempt to manipulate the bash logic or underlying git commands.
- Ingestion points: User-provided strings for worktree names and branch names in Phase 1.
- Boundary markers: The skill logic uses standard shell variable assignment but lacks specific delimiter-based isolation for the untrusted data.
- Capability inventory: The skill has access to shell execution (
bash), filesystem write access (modifying.gitignore), and network access (git fetch). - Sanitization: The skill provides an instruction to the AI to sanitize names, but does not implement programmatic validation or escaping, relying entirely on the agent's interpretation of 'sanitization'.
Audit Metadata