The Agent Skills Directory

[COMMAND_EXECUTION]: The skill is vulnerable to command injection because it directly interpolates unvalidated user input ({branch-name}, {base-branch}) into shell command strings (e.g., git worktree add ../{branch-name}). * Ingestion points: User-provided <branch-name> and [base-branch] arguments. * Boundary markers: None; the input is placed directly into bash command strings. * Capability inventory: Executes git, mkdir, cp, cd, uv sync, pip install, and npm install via the system shell. * Sanitization: None; the skill does not escape shell metacharacters in the arguments.
[EXTERNAL_DOWNLOADS]: The workflow automatically triggers npm install, pip install, and uv sync in the newly created worktree. These tools download packages from public registries and often execute lifecycle scripts or setup code automatically, which can lead to remote code execution if the project's dependencies are compromised or if the user points the tool at a malicious branch.
[CREDENTIALS_UNSAFE]: The skill explicitly searches for and copies .env and .env.local files from the original repository to the new worktree. These files frequently contain sensitive secrets such as API keys and database credentials. Automating the movement of these files increases the risk of accidental exposure or leakage if the worktree is shared, misconfigured, or accessed by unauthorized processes.

create-worktree