Trust Assessment
using-git-worktrees received a trust score of 69/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include Potential Command Injection via CLAUDE.md parsing, Supply Chain Risk via Automated Dependency Installation, Excessive Permissions: Automated .gitignore modification and commit.
The analysis covered 4 layers: llm_behavioral_safety, manifest_analysis, static_code_analysis, dependency_graph. The llm_behavioral_safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 11, 2026 (commit a98c5dfc). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via CLAUDE.md parsing The skill instructs the agent to read a 'worktree directory' preference from `CLAUDE.md` and 'Use it without asking'. The method for parsing and sanitizing this preference is not specified. If the extracted value from `CLAUDE.md` contains shell metacharacters (e.g., `;`, `&&`, `|`), and is then directly interpolated into shell commands like `cd "$path"`, it could lead to arbitrary command execution. The skill does not provide any sanitization steps for this external input. Implement robust parsing and sanitization for any values extracted from `CLAUDE.md` before using them in shell commands. Ensure that only valid directory paths are accepted and that shell metacharacters are escaped or rejected. For example, use a dedicated parsing function that validates the path format. | Unknown | SKILL.md:30 | |
| HIGH | Supply Chain Risk via Automated Dependency Installation The skill explicitly instructs the agent to run various dependency installation commands (`npm install`, `cargo build`, `pip install`, `poetry install`, `go mod download`) based on detected project files. These commands download and execute code from external repositories (e.g., npm, crates.io, PyPI, Go modules). If the project's dependencies are malicious, contain vulnerabilities, or are typosquats, this skill will facilitate their installation and execution without any inherent checks or warnings, posing a significant supply chain risk. Add explicit instructions for the agent to verify the integrity and trustworthiness of dependencies before installation, if possible. This could include checking for known vulnerabilities, reviewing dependency lists, or prompting the user for approval. Consider adding a warning about the inherent risks of installing untrusted dependencies. | Unknown | SKILL.md:74 | |
| MEDIUM | Excessive Permissions: Automated .gitignore modification and commit The skill explicitly instructs the agent to modify the project's `.gitignore` file and then commit this change to the repository if a worktree directory is not already ignored. This grants the agent the ability to alter the project's version control history and ignore rules. While intended for a specific purpose, this is a powerful capability that could be misused if the agent's instructions are compromised or misinterpreted, potentially leading to unintended changes in the repository's tracking configuration. Consider adding a user confirmation step before modifying and committing `.gitignore` to ensure explicit approval for such a significant change. Clearly define the exact content to be added to `.gitignore` to prevent unintended ignore patterns. | Unknown | SKILL.md:52 |
Scan History
Embed Code
[](https://skillshield.io/report/31cccc31f61115f0)
Powered by SkillShield