Back to skill

Security audit

ia-git-worktree

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate Git worktree helper, but it automatically duplicates local .env files and can force-remove worktrees with limited safeguards.

Install only if you are comfortable with a worktree tool that changes local Git state and duplicates .env files. Before running create or copy-env, inspect which .env files exist and avoid using it on repos with highly sensitive tokens unless you want those copied into every worktree. Before cleanup, manually check inactive worktrees for uncommitted work because the script removes them with --force.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill's declared purpose focuses on managing Git worktrees, but the documented behavior also includes copying local `.env*` files, modifying `.gitignore`, and updating branch state before worktree creation. Those side effects materially change repository state and may duplicate secrets into additional working directories, so users may invoke the skill without understanding its broader security and data-handling impact.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document says the manager copies `.env`, `.env.local`, `.env.test`, etc. into new worktrees, but it does not frame this as a security-sensitive action. Duplicating environment files can replicate API keys, database credentials, and other secrets into more locations, increasing accidental exposure through backups, indexing, misconfigured tooling, or later commits.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The example explicitly states that .env files are copied automatically into a new worktree, but provides no warning that these files often contain secrets such as API keys, tokens, or database credentials. In a workflow skill, normalizing secret duplication across directories increases the chance of accidental exposure through commits, logs, tooling, or weaker filesystem hygiene in temporary worktrees.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The parallel development examples repeat the pattern of automatically copying .env files into multiple worktrees, multiplying the number of secret-bearing copies on disk. This broadens the attack surface and makes accidental leakage more likely, especially because users are encouraged to create several worktrees and switch among them without any disclosure of credential-handling risks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script automatically copies all root-level .env* files except .env.example into each new or selected worktree. These files commonly contain API keys, database passwords, and tokens, so replicating them increases secret exposure across multiple directories and backups without any warning, minimization, or consent flow.

Credential Access

High
Category
Privilege Escalation
Content
fi
}

# Copy .env files from main repo to worktree
copy_env_files() {
  local worktree_path="$1"
Confidence
93% confidence
Finding
.env

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.