The Agent Skills Directory

[REMOTE_CODE_EXECUTION] (HIGH): The skill automatically triggers installation and build commands (npm install, cargo build, pip install, poetry install, go mod download) and test suites (npm test, cargo test, pytest, go test) based on the presence of project files. In an adversarial context, a malicious repository can use lifecycle hooks (e.g., npm 'preinstall' or 'test' scripts) to execute arbitrary code on the user's machine as soon as this skill is activated.
[COMMAND_EXECUTION] (HIGH): The skill executes shell commands using variables like $BRANCH_NAME and $LOCATION. If these variables are influenced by untrusted external input (e.g., a branch name containing shell metacharacters), it could lead to command injection.
[EXTERNAL_DOWNLOADS] (HIGH): It initiates network connections to external registries (npm, PyPI, Crates.io) to download dependencies without explicit user review of the dependency tree.
[INDIRECT_PROMPT_INJECTION] (HIGH): The skill ingests untrusted data from the repository, specifically searching CLAUDE.md for instructions and reacting to the presence of configuration files. Maliciously crafted files in a repository could exploit the skill's auto-setup capabilities to gain unauthorized execution or manipulate the agent's behavior.

using-git-worktrees