Skillv1.0.0

ClawScan security

git-worktree-manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 11, 2026, 3:18 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions are consistent with a local git worktree management tool; it does not request unrelated credentials or reach out to external endpoints, but it does copy local .env files and can run dependency installers which have security implications you should consider.
Guidance: This tool appears to do what it says: create/manage git worktrees, allocate and persist ports, copy .env files, and optionally run dependency installation. Before running it: - Review the scripts locally (they are included) and run them in a trusted repository. They call git and run package managers via subprocess, but do not send data to external endpoints. - Be cautious about the .env file copy: sensitive environment variables (API keys, DB passwords) will be duplicated into the worktree directory. If that is undesirable, remove or sanitize .env files before using the tool or modify ENV_FILES in the script. - Be cautious with --install-deps: dependency installation can execute install/postinstall scripts from packages. Prefer running installs inside an isolated environment (container, VM, or sandbox) or inspect lockfiles/package.json first. - Note where worktrees are created: the manager creates directories adjacent to the repo (repo.parent / <name>), so verify the target path to avoid unintended filesystem writes. If you want lower risk, run the tool with dependency installation disabled and inspect copied files before starting any services. If you need further review, I can point out exact lines that copy .env files and invoke installers.

Review Dimensions

Purpose & Capability: okName/description (git worktree management) align with the included scripts and SKILL.md. The scripts perform expected tasks: list/create/remove worktrees, allocate ports, persist .worktree-ports.json, copy .env* files, and optionally run dependency installers. Nothing requested or included is disproportionate to managing local worktrees.
Instruction Scope: noteSKILL.md and the scripts stay within the worktree management domain, but the tool explicitly copies any present local .env* files into new worktrees (possible duplication of secrets) and optionally runs dependency installers (pnpm/yarn/npm/bun/pip), which may execute arbitrary code defined by the repository's lockfiles/postinstall scripts. These behaviors are coherent for the purpose but carry local security/privacy concerns.
Install Mechanism: okNo install spec is provided (instruction-only plus included scripts). No remote downloads or archive extraction are present in the skill metadata or code. The scripts only use local subprocesses and filesystem operations.
Credentials: noteThe skill requests no environment variables or external credentials. However, it reads and copies local .env* files (potentially containing sensitive secrets) and will run package managers which will access network package registries unless run offline. The absence of declared env/credentials is appropriate, but the copying behavior should be considered when sensitive local secrets exist.
Persistence & Privilege: okThe skill is not always-enabled and does not modify other skills or system-wide agent settings. It writes per-worktree files (.worktree-ports.json and copied .env* files) and may remove worktrees when invoked with removal flags; this is expected for its purpose.