Worktree Manager
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent local development automation skill, but it can start Docker containers, copy databases, and delete worktrees/databases, so users should verify the package and approve destructive actions.
Install only if you intend to manage local Docker/Git/MySQL development instances. Verify the source and version, run it from the correct project directory, set a non-default MySQL password, keep env/worktree files gitignored, and never allow `remove-worktree` without explicit confirmation and backups.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken instance name or unapproved command could delete local development data and worktree files.
The skill exposes commands that can stop containers, drop a database, and remove a Git worktree. This is aligned with the stated purpose and disclosed as destructive, but it is high-impact.
./run.sh remove-worktree <name> # stop containers + drop db + remove worktree
Run `./run.sh list` first, confirm the exact instance name, and require explicit user approval before `remove-worktree`.
Using the default password or root access outside a trusted local dev setup could expose or alter databases more broadly than intended.
The script uses MySQL root credentials and defaults to `secret` if no password is provided. That is expected for this local database-management workflow but is sensitive authority.
MYSQL_ROOT_PASS="${MYSQL_ROOT_PASSWORD:-${MYSQL_ROOT_PASS:-secret}}" ... mysql -uroot -p"$MYSQL_ROOT_PASS"Set `MYSQL_ROOT_PASSWORD` explicitly, avoid production databases, and run this only against the intended local MySQL container.
Any data in the main local database may be duplicated into worktree databases.
Starting non-main instances copies the main database into the target instance database. This is disclosed seeding behavior, but it can propagate sensitive or stale data into new dev instances.
mysqldump -uroot -p"$MYSQL_ROOT_PASS" "$MYSQL_MAIN_DB" | docker exec -i "$MYSQL_CONTAINER" mysql -uroot -p"$MYSQL_ROOT_PASS" "$dest_db"
Use sanitized development data for `MYSQL_MAIN_DB` and avoid seeding from production-like databases.
It may be harder to verify which exact release or source code is being installed and reviewed.
The registry source is not identified, and the versioning is inconsistent with `SKILL.md` showing `version: 1.3.0` and `_meta.json` showing `version: 1.0.2`.
Source: unknown; Homepage: none; Version: 1.0.3
Confirm the trusted origin and expected version before using the skill, especially before running its shell script in a project.