Can you please expand on your comment? It currently makes zero sense with zero references.

It uses libgit2 for this; I don't know what specific attack vector you're thinking about though.

Git's on disk format has a massive attack surface.

Do not run "git" in untrusted directories. It is not hardened against that (as opposed to the network protocol).

That probably includes libgit2 unless it explicitly states the opposite.

The blurb made it sound like it checks the git status by default. But this isn't the case. You have to explicitly ask for with --git. Never mind then.