worktrees
Pass
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute standard shell commands for Git management (e.g.,
git worktree,git merge,git branch) and filesystem operations (e.g.,du,rm). These are used for worktree lifecycle management, cleanup, and disk usage monitoring as documented inreferences/worktree-management.mdandreferences/cleanup-strategies.md. - [EXTERNAL_DOWNLOADS]: The skill automates dependency installation using well-known package managers such as
npm,pip,cargo,poetry, andgowhen a new worktree is created. This involves downloading code from official public registries (e.g., npmjs.com, pypi.org). Evidence is found in the 'Dependency Installation' section ofreferences/worktree-management.md. - [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface as it bases execution logic (such as story ID extraction and dependency installation triggers) on external data like branch names and the presence of specific repository files (lockfiles).
- Ingestion points: Branch names and lockfiles within the local project directory (e.g.,
references/cleanup-strategies.md). - Boundary markers: Absent; the instructions do not specify delimiters for branch-derived data when parsed by the agent.
- Capability inventory: Full shell execution capabilities for Git and package managers across all referenced scripts.
- Sanitization: Absent; the skill relies on standard command-line parsing of variable data like branch names.
Audit Metadata