Trust Assessment
using-git-worktrees received a trust score of 82/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Supply Chain Risk via Untrusted Project Dependencies, Potential Command Injection via Unsanitized Inputs.
The analysis covered 4 layers: dependency_graph, manifest_analysis, llm_behavioral_safety, static_code_analysis. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 15, 2026 (commit 3e75fabd). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Supply Chain Risk via Untrusted Project Dependencies The skill explicitly instructs the agent to execute dependency installation, build, and test commands (`npm install`, `cargo build`, `pip install -r requirements.txt`, `poetry install`, `go mod download`, `npm test`, `cargo test`, `pytest`, `go test`) based on files found within the project. If the project itself is untrusted or contains malicious dependency configurations (e.g., in `package.json`, `requirements.txt`, `Cargo.toml`), these commands can lead to arbitrary code execution, downloading malicious packages, or other supply chain attacks. The skill does not include any mechanisms for sandboxing these operations, verifying dependency integrity, or warning about the risks of executing code from untrusted projects. Implement sandboxing for dependency installation and build steps (e.g., using Docker containers or isolated environments). Add explicit warnings to the agent about the risks of running these commands on untrusted projects. Consider adding checks for dependency integrity (e.g., checksum verification) or requiring pinned versions. Instruct the agent to prompt the user for confirmation before executing potentially risky commands on untrusted projects. | Unknown | SKILL.md:90 | |
| MEDIUM | Potential Command Injection via Unsanitized Inputs The skill constructs shell commands using variables `LOCATION` and `BRANCH_NAME` (e.g., `git worktree add "$path" -b "$BRANCH_NAME"`, `cd "$path"`). The `LOCATION` variable can be derived from `CLAUDE.md` (a potentially untrusted project file) or user input, and `BRANCH_NAME` is likely user-provided or derived from user intent. The skill does not specify any sanitization or validation for these variables before they are interpolated into shell commands. If `CLAUDE.md` contains malicious shell metacharacters in the 'worktree directory' preference, or if a user provides a branch name containing such characters (e.g., `myfeature; rm -rf /`), it could lead to command injection and arbitrary code execution. Instruct the agent to strictly sanitize or validate all user-provided or project-derived string inputs (like branch names and directory paths) before using them in shell commands. Specifically, ensure that `LOCATION` and `BRANCH_NAME` are treated as literal strings and any shell metacharacters are escaped or rejected. For `CLAUDE.md` parsing, use robust parsing methods that extract only the intended path and do not interpret subsequent text as commands. | Unknown | SKILL.md:80 |
Scan History
Embed Code
[](https://skillshield.io/report/aa1cb86ab88eb297)
Powered by SkillShield