Worktrunk
PassAudited by ClawScan on May 10, 2026.
Overview
Worktrunk’s instructions are coherent for a Git worktree tool, but it installs/runs an external CLI and can launch agents, run hooks, and delete branches, so use it only on trusted repositories.
This skill appears purpose-aligned, but install it only if you trust the `vx` source for Worktrunk. Review repository hook files before running it, be careful with merge/remove commands that delete branches or worktrees, and review all AI-agent changes before merging them.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You would be trusting the `vx` package source for the actual executable behavior, which was not reviewable in these artifacts.
The skill tells the user or agent to install and run an external CLI, but the reviewed package contains only instructions and no CLI source code.
vx install worktrunk vx worktrunk --version # verify
Verify the `vx` package source and version before installation, and prefer a pinned or trusted release when using it on important repositories.
A repository’s Worktrunk hook configuration could run dependency installs or other commands when you create or merge worktrees.
The documented hook system can automatically run local commands during worktree creation or merge.
[post_create] command = "npm install" # auto-install deps on create [pre_merge] command = "vx run test" # run tests before merge
Only enable hooks in repositories you trust, and review `.worktrunk/hooks.toml` before running Worktrunk commands.
Misuse or an unintended invocation could remove local worktrees or branches in the target repository.
The documented workflow can remove worktrees and delete Git branches as part of normal cleanup.
vx wt merge # squash merge + delete worktree + delete branch vx wt remove --with-branch feat/auth # remove worktree + branch
Confirm the target branch/worktree before merge or remove operations, and make sure important work is committed or backed up.
A launched agent may make code changes in its worktree, which can later be merged into the main repository.
The skill explicitly supports launching another AI agent in a new worktree; this is purpose-aligned but creates autonomous activity the user should bound.
vx wt switch -c -x claude feat/auth # (inside worktree, agent runs autonomously)
Launch agents only for clear user-approved tasks, review their changes before merge, and avoid running multiple agents without supervision.
Repository content or diffs could potentially be summarized or processed outside the immediate Git workflow if those features use an external LLM.
The documentation mentions LLM-generated commit messages and summaries, which may involve processing repository diffs or status through an LLM or provider, though the artifacts do not specify the provider or data handling.
quality-of-life features like hooks, LLM commit messages ... vx wt list --full # with CI status, AI-generated summaries, diff preview
Check Worktrunk’s LLM configuration and provider behavior before using LLM summaries or commit-message features on private code.