The Agent Skills Directory

[PROMPT_INJECTION]: The skill's logic in scripts/solo_ops.py explicitly configures AI sessions to run without standard safety guardrails. The build_launch_cmd function utilizes flags such as --dangerously-skip-permissions for the Claude CLI and --dangerously-bypass-approvals-and-sandbox for the Codex CLI. These flags are designed to bypass permission prompts and environmental restrictions, which could allow an agent to perform unauthorized actions.
[COMMAND_EXECUTION]: The skill uses the subprocess module to perform high-privilege operations including git worktree management and terminal session control. The pane_send function injects text from task descriptions directly into active shell sessions using wezterm cli send-text or tmux send-keys. Because these task descriptions are often provided by external inputs, this creates a vector for command injection into the running terminal environment.
[COMMAND_EXECUTION]: The cmd_install function modifies the host's configuration by creating a dedicated directory at ~/.claude/skills/solo-ops/ and establishing a persistent symlink at ~/.local/bin/solo-ops. It also modifies file permissions using chmod 0o755. Such actions extend the skill's influence beyond the immediate project and affect the user's global system environment.
[COMMAND_EXECUTION]: The tool automates destructive or sensitive git operations through functions like cmd_delete (using git worktree remove --force and git branch -D) and cmd_merge. These commands have the potential to delete work or modify the repository's history automatically based on AI-triggered commands.

solo-ops