The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill's instructions mandate that the agent automatically execute package manager installation commands (npm install, composer install, pip install -e ., go mod download) if specific configuration files are detected in a worktree. This pattern executes potentially malicious code from the repository's configuration files (such as package.json scripts or setup.py), posing a risk during tasks like PR reviews of untrusted code.
[DATA_EXFILTRATION]: Both the skill instructions and the worktree-manager.sh script automate the discovery and copying of sensitive environment files (e.g., .env, .env.local, .env.test) from the main repository root to the worktree directory. Duplicating files that typically contain secrets and credentials into subdirectories increases the exposure surface and risk of sensitive data mishandling.
[COMMAND_EXECUTION]: The skill provides logic and instructions for installing and managing Git hooks, including integration with Husky. This allows for the execution of arbitrary scripts during Git lifecycle events, which can be leveraged for persistence or unintended background operations.
[COMMAND_EXECUTION]: The skill relies on a custom shell script (worktree-manager.sh) to perform file system and Git operations. The script uses variables derived from agent input in shell commands, creating an execution surface on the host environment.
[PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection by ingesting untrusted data from repository configuration files without sanitization. Ingestion points: Repository configuration files (package.json, composer.json, pyproject.toml, go.mod). Boundary markers: Absent. Capability inventory: Shell execution (worktree-manager.sh), package installation, Git hook management. Sanitization: Absent.

git-worktree