obra-using-git-worktrees
Flagged{"isSafe":false,"isSuspicious":true,"riskLevel":"high","findings":[{"category":"shell_command","severity":"high","description":"Auto-run of project setup commands (npm install, cargo build, pip install, poetry install, go mod download) in newly created worktree can execute code during installation, enabling potential remote code execution if repository contains malicious setup scripts.","evidence":"# Node.js setup block\nif [ -f package.json ]; then npm install; fi\n\n# Rust\nif [ -f Cargo.toml ]; then cargo build; fi\n\n# Python\nif [ -f requirements.txt ]; then pip install -r requirements.txt; fi\nif [ -f pyproject.toml ]; then poetry install; fi\n\n# Go\nif [ -f go.mod ]; then go mod download; fi"},{"category":"shell_command","severity":"low","description":"Potential tilde expansion bug: path is assigned as \"~/.config/superpowers/worktrees/$project/$BRANCH_NAME\" (tilde not expanded when quoted); may cause cd to fail or unintended path usage.","evidence":"path=\"~/.config/superpowers/worktrees/$project/$BRANCH_NAME\""},{"category":"shell_command","severity":"low","description":"Case/esac pattern uses a tilde-prefixed path; if LOCATION does not match, path is not set; potential default path risk.","evidence":"case $LOCATION in\n .worktrees|worktrees)\n path=\"$LOCATION/$BRANCH_NAME\"\n ;;\n ~/.config/superpowers/worktrees/*)\n path=\"~/.config/superpowers/worktrees/$project/$BRANCH_NAME\"\n ;;\nesac"},{"category":"shell_command","severity":"low","description":"Suppressing errors with 2>/dev/null hides issues that could lead to misbehavior or security issues.","evidence":"ls -d .worktrees 2>/dev/null # Preferred (hidden)\nls -d worktrees 2>/dev/null # Alternative\n\ngit check-ignore -q .worktrees 2>/dev/null || git check-ignore -q worktrees 2>/dev/null"}],"summary":"The content largely describes safe workflow automation for Git worktrees, but there are notable safety concerns. The automated execution of project setup commands (npm install, cargo build, pip install, etc.) within a new worktree can trigger arbitrary code execution if the repository contains malicious setup scripts. This is the primary safety risk (high). Additionally, there are correctness/robustness issues in path handling (tilde expansion and case-pattern coverage) that could lead to mislocated worktrees or failed directory changes. Recommendations: avoid auto-running potentially script-launching installs without explicit user consent or a safe-gateway (e.g., disable install scripts or run in a isolated/VM with explicit prompts), fix path expansion (use $HOME or $USER) and ensure all case branches always set a valid path, and consider removing or reducing 2>/dev/null suppressions to surface errors for safer debugging."}
npx machina-cli add skill faulkdev/github-copilot-superpowers/obra-using-git-worktrees --openclawUsing Git Worktrees
Overview
Git worktrees create isolated workspaces sharing the same repository, allowing work on multiple branches simultaneously without switching.
Core principle: Systematic directory selection + safety verification = reliable isolation.
Announce at start: "I'm using the using-git-worktrees skill to set up an isolated workspace."
Directory Selection Process
Follow this priority order:
1. Check Existing Directories
# Check in priority order
ls -d .worktrees 2>/dev/null # Preferred (hidden)
ls -d worktrees 2>/dev/null # Alternative
If found: Use that directory. If both exist, .worktrees wins.
2. Check CLAUDE.md
grep -i "worktree.*director" CLAUDE.md 2>/dev/null
If preference specified: Use it without asking.
3. Ask User
If no directory exists and no CLAUDE.md preference:
No worktree directory found. Where should I create worktrees?
1. .worktrees/ (project-local, hidden)
2. ~/.config/superpowers/worktrees/<project-name>/ (global location)
Which would you prefer?
Safety Verification
For Project-Local Directories (.worktrees or worktrees)
MUST verify directory is ignored before creating worktree:
# Check if directory is ignored (respects local, global, and system gitignore)
git check-ignore -q .worktrees 2>/dev/null || git check-ignore -q worktrees 2>/dev/null
If NOT ignored:
Per Jesse's rule "Fix broken things immediately":
- Add appropriate line to .gitignore
- Commit the change
- Proceed with worktree creation
Why critical: Prevents accidentally committing worktree contents to repository.
For Global Directory (~/.config/superpowers/worktrees)
No .gitignore verification needed - outside project entirely.
Creation Steps
1. Detect Project Name
project=$(basename "$(git rev-parse --show-toplevel)")
2. Create Worktree
# Determine full path
case $LOCATION in
.worktrees|worktrees)
path="$LOCATION/$BRANCH_NAME"
;;
~/.config/superpowers/worktrees/*)
path="~/.config/superpowers/worktrees/$project/$BRANCH_NAME"
;;
esac
# Create worktree with new branch
git worktree add "$path" -b "$BRANCH_NAME"
cd "$path"
3. Run Project Setup
Auto-detect and run appropriate setup:
# Node.js
if [ -f package.json ]; then npm install; fi
# Rust
if [ -f Cargo.toml ]; then cargo build; fi
# Python
if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
if [ -f pyproject.toml ]; then poetry install; fi
# Go
if [ -f go.mod ]; then go mod download; fi
4. Verify Clean Baseline
Run tests to ensure worktree starts clean:
# Examples - use project-appropriate command
npm test
cargo test
pytest
go test ./...
If tests fail: Report failures, ask whether to proceed or investigate.
If tests pass: Report ready.
5. Report Location
Worktree ready at <full-path>
Tests passing (<N> tests, 0 failures)
Ready to implement <feature-name>
Quick Reference
| Situation | Action |
|---|---|
.worktrees/ exists | Use it (verify ignored) |
worktrees/ exists | Use it (verify ignored) |
| Both exist | Use .worktrees/ |
| Neither exists | Check CLAUDE.md → Ask user |
| Directory not ignored | Add to .gitignore + commit |
| Tests fail during baseline | Report failures + ask |
| No package.json/Cargo.toml | Skip dependency install |
Common Mistakes
Skipping ignore verification
- Problem: Worktree contents get tracked, pollute git status
- Fix: Always use
git check-ignorebefore creating project-local worktree
Assuming directory location
- Problem: Creates inconsistency, violates project conventions
- Fix: Follow priority: existing > CLAUDE.md > ask
Proceeding with failing tests
- Problem: Can't distinguish new bugs from pre-existing issues
- Fix: Report failures, get explicit permission to proceed
Hardcoding setup commands
- Problem: Breaks on projects using different tools
- Fix: Auto-detect from project files (package.json, etc.)
Example Workflow
You: I'm using the using-git-worktrees skill to set up an isolated workspace.
[Check .worktrees/ - exists]
[Verify ignored - git check-ignore confirms .worktrees/ is ignored]
[Create worktree: git worktree add .worktrees/auth -b feature/auth]
[Run npm install]
[Run npm test - 47 passing]
Worktree ready at /Users/jesse/myproject/.worktrees/auth
Tests passing (47 tests, 0 failures)
Ready to implement auth feature
Red Flags
Never:
- Create worktree without verifying it's ignored (project-local)
- Skip baseline test verification
- Proceed with failing tests without asking
- Assume directory location when ambiguous
- Skip CLAUDE.md check
Always:
- Follow directory priority: existing > CLAUDE.md > ask
- Verify directory is ignored for project-local
- Auto-detect and run project setup
- Verify clean test baseline
Integration
Called by:
- brainstorming (Phase 4) - REQUIRED when design is approved and implementation follows
- Any skill needing isolated workspace
Pairs with:
- finishing-a-development-branch - REQUIRED for cleanup after work complete
- executing-plans or subagent-driven-development - Work happens in this worktree
Source
git clone https://github.com/faulkdev/github-copilot-superpowers/blob/integrate-obra-superpowers/.github/skills/obra/obra-using-git-worktrees/SKILL.mdView on GitHub Overview
This skill sets up isolated git worktrees to start feature work without touching the current workspace. It uses a smart directory selection plus safety verification to prevent leaking worktree contents into the main repo, then bootstraps the project and verifies a clean baseline.
How This Skill Works
The tool selects a worktree directory by priority (.worktrees, then worktrees, then CLAUDE.md, else user prompt), verifies ignoring rules, and creates a new worktree with git worktree add -b <BRANCH_NAME>. It then runs project setup based on detected project files (Node.js, Rust, Python, Go) and executes baseline tests to confirm a clean starting point.
When to Use It
- When starting feature work that needs isolation from the current workspace
- When implementing an plan and you want a dedicated, separate worktree
- When you need to validate a clean baseline with tests before merging
- When CLAUDE.md specifies a preferred worktree location and you should follow it
- When you want automatic project bootstrap (npm install, cargo build, pip install, etc.) in the new worktree
Quick Start
- Step 1: Detect project name with project=$(basename "$(git rev-parse --show-toplevel)")
- Step 2: Create the worktree at the chosen location and switch to it with -b <BRANCH_NAME>, then cd into the path
- Step 3: Run project setup (Node.js/Cargo/pip/go) and verify a clean baseline with tests
Best Practices
- Prioritize existing directories in the order: .worktrees, then worktrees
- Always run git check-ignore to ensure the directory is ignored before creation
- If not ignored, update .gitignore and commit the change before proceeding
- Let the setup detect and install dependencies for Node.js, Rust, Python, or Go
- Run the baseline tests in the new worktree and report readiness only if they pass
Example Use Cases
- Node.js project with package.json: create a feature worktree, run npm install, and test locally
- Rust project with Cargo.toml: create a worktree, run cargo build/test
- Python project with requirements.txt or pyproject.toml: install deps and run pytest
- Go project with go.mod: run go mod download and go test
- Global worktree location for a multi-repo enhancement following CLAUDE.md preference
