The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to indirect prompt injection because it automatically ingests data from the repository to determine its execution flow.
Ingestion points: The skill reads CLAUDE.md for directory preferences and scans project manifests (package.json, Cargo.toml, requirements.txt, pyproject.toml, go.mod) to decide which setup commands to run.
Boundary markers: There are no boundary markers or instructions to ignore embedded commands within the files it reads.
Capability inventory: The skill has extensive execution capabilities, including running package managers and test runners which can execute arbitrary code.
Sanitization: No sanitization is performed on the content of the manifest files or the test configurations before execution.
[Remote Code Execution] (HIGH): The automated use of npm install, pip install, and cargo build constitutes a remote code execution risk. Malicious repositories can include scripts (e.g., npm postinstall scripts) that execute immediately upon installation, providing a direct path for an attacker to compromise the agent's environment.
[Command Execution] (MEDIUM): The skill dynamically constructs and executes shell commands for git operations and test running. While intended for automation, the lack of strict validation on variables like $BRANCH_NAME or $LOCATION (if derived from external files like CLAUDE.md) could lead to command injection if those inputs are maliciously crafted.

using-git-worktrees