The Agent Skills Directory

[COMMAND_EXECUTION]: The scripts worktree-start.sh and worktree-finish.sh execute various git commands (e.g., merge, branch -d, worktree add) using user-provided arguments for branch names and paths. While variables are quoted to prevent shell word-splitting, the scripts lack the -- separator in several Git calls. This makes them susceptible to argument injection if a user provides a branch name starting with a hyphen (e.g., -D or --help). Additionally, the --path argument in worktree-start.sh allows for directory creation and repository initialization at arbitrary system locations where the user has permissions.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes untrusted user data (branch names, paths) to perform significant repository and file system operations.
Ingestion points: User-supplied branch names, base references, and file paths provided via the agent's prompts.
Boundary markers: The agent guidelines recommend confirming the user's intent before making changes, but no technical boundary markers or 'ignore' instructions are used when interpolating these values into script arguments.
Capability inventory: The scripts perform directory creation (mkdir -p), repository merging (git merge), branch deletion (git branch -d), and directory removal (git worktree remove).
Sanitization: The branch_slug function provides some sanitization for directory names, but the raw branch name is used directly in Git commands without sufficient validation or escaping for Git-specific control characters.

git-worktree-feature-flow