The Agent Skills Directory

Dynamic Execution (MEDIUM): The skill constructs and executes shell commands using variables ($LOCATION, $path) derived from local files like CLAUDE.md via grep. This allows a malicious file in a repository to influence the shell command executed by the agent, potentially leading to command injection if the file contains shell metacharacters.
Indirect Prompt Injection (LOW): The skill is designed to trust and follow instructions found in the codebase (e.g., 'Check CLAUDE.md' for directory preferences and 'Use it without asking'). An attacker could place malicious instructions in CLAUDE.md to redirect worktree creation or manipulate environment variables.
Ingestion points: CLAUDE.md via grep -i "worktree.*director".
Boundary markers: None present; the skill explicitly states to use the found preference without asking.
Capability inventory: Execution of git worktree add, npm install, cargo build, pip install, and various test runners (npm test, pytest).
Sanitization: No sanitization or validation is performed on the string extracted from the project files before it is used in a shell case statement or path construction.
Remote Code Execution (LOW): By design, the skill runs project setup commands like npm install and npm test. While this is the intended purpose of the skill, it automatically executes scripts defined in the repository's configuration files (package.json, requirements.txt, etc.). If the repository itself is untrusted or compromised, this will result in the execution of malicious code on the host system.

using-git-worktrees