Trust Assessment
using-git-worktrees received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Command Injection via unsanitized git worktree variables, Supply Chain Risk: Execution of untrusted package manager and test commands, Excessive Permissions: Unconfirmed gitignore modification and commit.
The analysis covered 4 layers: dependency_graph, llm_behavioral_safety, manifest_analysis, static_code_analysis. The llm_behavioral_safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 11, 2026 (commit 6d52fe32). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Supply Chain Risk: Execution of untrusted package manager and test commands The skill explicitly instructs the LLM to execute various package manager commands (`npm install`, `cargo build`, `pip install`, `poetry install`, `go mod download`) and test commands (`npm test`, `cargo test`, `pytest`, `go test ./...`) based on file detection within the newly created worktree. These commands are known vectors for supply chain attacks, as they download dependencies and execute arbitrary code defined in project configuration files (e.g., `package.json` scripts, `setup.py`, `build.rs`). If the project being worked on (or its dependencies) is untrusted or compromised, this skill would directly execute malicious code on the host system without further user confirmation or sandboxing. 1. Require explicit user confirmation: Before executing any package manager or test commands, the LLM should always ask the user for explicit confirmation, detailing the commands to be run. 2. Sandboxing: Execute these commands within a strictly sandboxed environment (e.g., Docker container, virtual machine) with minimal permissions and no access to sensitive host resources. 3. Dependency auditing: Integrate with dependency auditing tools to scan for known vulnerabilities before installation. 4. Least privilege: Ensure the environment where these commands run has the absolute minimum necessary permissions. | Unknown | SKILL.md:90 | |
| HIGH | Command Injection via unsanitized git worktree variables The skill instructs the LLM to execute `git worktree add "$path" -b "$BRANCH_NAME"`. The variables `$path` and `$BRANCH_NAME` are derived from user input (e.g., branch name, location preference) or project context. Without explicit sanitization or validation of these variables, a malicious input (e.g., a branch name like `"; rm -rf /; #`) could lead to command injection, allowing arbitrary commands to be executed on the host system. Implement robust sanitization and validation for `$path` and `$BRANCH_NAME` before they are used in shell commands. Consider using a safer API if available, or strictly whitelist allowed characters/patterns to prevent injection. | Unknown | SKILL.md:79 | |
| MEDIUM | Excessive Permissions: Unconfirmed gitignore modification and commit The skill instructs the LLM to 'Add appropriate line to .gitignore' and 'Commit the change' if a worktree directory is not ignored. This implies the LLM will construct and execute `git add .gitignore` and `git commit` commands. While the intent is to fix a configuration issue, an LLM under prompt injection could potentially add malicious patterns to `.gitignore` (e.g., ignoring critical security files) or craft malicious commit messages that could be used for social engineering or to hide malicious changes, without explicit user confirmation. 1. Require explicit user confirmation: Before modifying `.gitignore` or committing changes, the LLM should present the proposed changes to the user and ask for explicit confirmation. 2. Strict content generation: Ensure the LLM is constrained to only add specific, predefined lines to `.gitignore` (e.g., `.worktrees/`, `worktrees/`) and use a fixed, benign commit message. | Unknown | SKILL.md:60 |
Scan History
Embed Code
[](https://skillshield.io/report/cfd1e87e056dff9e)
Powered by SkillShield