Security Audit
using-git-worktrees
github.com/davila7/claude-code-templatesTrust Assessment
using-git-worktrees received a trust score of 72/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 1 high, 2 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Potential Command Injection via User-Provided Branch Name.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via User-Provided Branch Name The skill constructs shell commands using variables like `BRANCH_NAME` and `path` which are likely derived from user input. If `BRANCH_NAME` contains shell metacharacters (e.g., semicolons, backticks, `$(...)`), it could lead to arbitrary command execution when used in `git worktree add` or `cd`. For example, if `BRANCH_NAME` is `mybranch; rm -rf /`, the shell might execute `rm -rf /` after the `git` command, or `cd` into a manipulated path and then execute the injected command. The `path` variable, constructed as `"$LOCATION/$BRANCH_NAME"`, is also vulnerable to path traversal if `BRANCH_NAME` contains `../` sequences, potentially allowing worktrees to be created or `cd` commands to operate outside the intended project scope, followed by command injection. Implement robust sanitization or escaping for user-provided inputs like `BRANCH_NAME` before incorporating them into shell commands. Ensure that the execution environment for shell commands properly quotes arguments to prevent shell metacharacter interpretation. For example, use `shlex.quote()` in Python or similar mechanisms in other languages, or pass arguments as a list to `subprocess.run(..., shell=False)`. | LLM | SKILL.md:77 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Automated Execution of Dependency Installation Poses Supply Chain Risk The skill instructs the agent to automatically run package manager commands (`npm install`, `cargo build`, `pip install`, `poetry install`, `go mod download`) based on detected project files. While necessary for setting up a development environment, this automates the fetching and execution of potentially untrusted code from project dependencies. If the project's dependency files (e.g., `package.json`, `requirements.txt`) are compromised or malicious, this could lead to the execution of arbitrary code on the system. The skill does not include any mitigation steps like dependency locking verification or user confirmation for new dependencies. Consider adding steps to verify dependency integrity (e.g., checking lock files, displaying new dependencies for user review) before automatically installing them. Provide an option for the user to confirm or deny dependency installation, especially for projects with unknown or untrusted origins. Implement sandboxing or least-privilege execution for dependency installation steps where possible. | LLM | SKILL.md:86 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/ff42703134c51ba8)
Powered by SkillShield