ClawHub

git-worktree-manager

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local Git worktree helper, but users should be careful with environment-file copying and dependency installation.

Install this only if you want local Git worktree automation. Before running it, review whether your .env files contain secrets, avoid --install-deps unless you trust the repo and its dependencies, and use cleanup flags carefully because forced cleanup can remove local worktree state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
When --install-deps is enabled, the script runs npm/yarn/pnpm/bun/pip install inside the target worktree. Package installation commonly executes arbitrary lifecycle hooks or setup code from the checked-out repository, so creating a worktree for an untrusted branch can become arbitrary code execution on the host.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script automatically copies .env, .env.local, .env.development, and .envrc from the main repo into the new worktree. These files often contain secrets, and copying them into another checkout or branch broadens secret exposure and can leak credentials to untrusted code, tools, or users with access to the worktree.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Copying `.env*` files into new worktrees can duplicate secrets, tokens, database credentials, and developer-specific access material into additional filesystem locations without warning or safeguards. That increases the attack surface for credential leakage through accidental commits, weaker permissions, backups, logs, or less-controlled worktree directories.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Sensitive environment files are copied silently with no interactive warning or explicit disclosure at the point of action. In this skill context, worktree creation looks operationally routine, so automatic secret propagation is more dangerous because users may not realize credentials are being duplicated into a potentially less-trusted workspace.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The optional dependency-install feature invokes external package managers without a strong user-facing warning that this may execute arbitrary repository-controlled scripts. In a developer automation skill, that context increases risk because users may treat install-deps as a convenience step rather than a code-execution decision.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal