The Agent Skills Directory

[COMMAND_EXECUTION]: Multiple scripts within the scripts/ directory lack proper shell quoting for variables, which can lead to command injection if branch names or user-supplied parameters contain shell metacharacters (e.g., ;, &, |).
In scripts/rename_git_branch, the variables $old_branch and $new_branch are used unquoted in commands such as git push --no-verify origin $new_branch and git push --no-verify origin --delete $old_branch.
In scripts/delete_merged_branches, the variable $branch (derived from remote branch names) is used unquoted in git push origin --delete $branch and git branch -d $branch.
In scripts/check_merge, the command git checkout ${branch}/$version uses unquoted variables.
[COMMAND_EXECUTION]: The script discovery logic in SKILL.md searches for the scripts directory starting from the current directory, $SKILLS_HOME, and the user's $HOME directory. This broad search path could lead to the unintended execution of malicious scripts if an attacker places a matching directory structure in a higher-priority location on the file system.

eliteforge-git-specification