The Agent Skills Directory

Data Exposure & Exfiltration (MEDIUM): The script scripts/worktree-manager.sh accesses and copies sensitive environment files (.env, .env.local, .env.test) from the repository root to worktree subdirectories. Access to these paths is categorized as high-risk data exposure. The severity is adjusted to MEDIUM as this functionality is central to the skill's utility and includes a safeguard that automatically adds the destination to .gitignore.
Indirect Prompt Injection (LOW): The skill ingests user-provided branch names and interpolates them into shell commands. This creates a surface for indirect prompt injection. 1. Ingestion points: branch_name and from_branch parameters in SKILL.md. 2. Boundary markers: None present. 3. Capability inventory: execution of git, mkdir, cp, and rmdir commands. 4. Sanitization: Inputs are double-quoted in shell scripts to prevent basic command injection.
Command Execution (SAFE): The skill performs local Git operations via a bash script. All external inputs are properly quoted to prevent shell-level command injection, and no remote code execution or persistence patterns were identified.

git-worktree