The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses eval "$(python3 scripts/worktree.py detect)" in SKILL.md to dynamically configure the environment. This pattern executes the output of a script directly in the shell, which can lead to arbitrary command execution if the script's output is influenced by external or untrusted environment factors.
[COMMAND_EXECUTION]: The scripts/start-worktree-api.sh script executes kill "$EXISTING_PID" to terminate processes listening on a specific port. This allows the skill to terminate arbitrary processes on the host system without proper validation of the process ownership or type.
[COMMAND_EXECUTION]: The scripts/start-worktree-api.sh script executes source "$VENV_ACTIVATE" where the path defaults to a location in the main repository. This results in the execution of external shell scripts at runtime.
[CREDENTIALS_UNSAFE]: Hardcoded default credentials and placeholders are present in the scripts. scripts/start-worktree-api.sh and scripts/smoke_tests/conftest.py use test-validate-key as a default for ADMIN_API_KEY and API_AUTH_VALUE respectively.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8) by ingesting untrusted data to drive tool execution.
Ingestion points: Branch names (via git branch --show-current), command-line arguments ($ARGUMENTS), GitHub PR metadata (via gh pr view), and specification files from the OPENSPEC_PATH.
Boundary markers: None used when interpolating these values into shell commands or GitHub CLI calls.
Capability inventory: The skill has broad capabilities including file writing (cat > "$REPORT_FILE"), network requests (curl, httpx), process management (kill, docker-compose), and repository interaction (gh pr comment).
Sanitization: While some basic parsing is performed on the change ID, malicious branch names or PR content could potentially influence the commands executed by the agent.

linear-validate-feature