The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The SKILL.md instructions require the agent to auto-detect and run setup commands like pnpm install, pip install, and cargo build. This is high-risk as it allows arbitrary code execution via package installation hooks (e.g., preinstall/postinstall scripts).\n- [REMOTE_CODE_EXECUTION] (HIGH): The skill mandates running test suites (e.g., pytest, pnpm test) immediately after setup. Test runners execute project code, providing an immediate vector for RCE if the repository contains malicious test logic.\n- [COMMAND_EXECUTION] (MEDIUM): The scripts setup-worktrees.sh and cleanup-worktrees.sh do not sanitize the feature name arguments. A malicious input could potentially lead to path traversal or unintended directory deletion via the rm -rf command in the cleanup script.\n- [EXTERNAL_DOWNLOADS] (MEDIUM): The automated use of package managers triggers downloads from external registries. If the repository's configuration files are malicious, the agent will download and install untrusted third-party dependencies without verification.\n- [INDIRECT_PROMPT_INJECTION] (LOW): The skill possesses a large attack surface for indirect injection. \n
Ingestion points: Project manifests (package.json, requirements.txt), configuration files (CLAUDE.md), and test outputs.\n
Boundary markers: None; the agent is not instructed to treat these files as untrusted.\n
Capability inventory: Full subprocess execution for installations and testing, file system writes, and Git modifications.\n
Sanitization: None; the agent executes commands based on the presence and content of external files.

git-worktree