The Agent Skills Directory

[COMMAND_EXECUTION]: The worktree-manager.sh script executes shell commands using unvalidated branch names. This allows for potential shell injection if characters like backticks or subshell expansions are used in branch name arguments.- [REMOTE_CODE_EXECUTION]: In scripts/worktree-manager.sh, the symlink_env function performs a python3 -c call where the command string is built using direct interpolation of the $worktree_path variable. An attacker can use a single quote in a branch name to terminate the Python string and execute arbitrary Python code (e.g., os.system).- [DATA_EXFILTRATION]: The skill automatically symlinks the root .env file into subdirectories created for worktrees. This practice exposes sensitive environment variables and secrets to any process or tool operating within the worktree, increasing the risk of accidental exposure or exfiltration.- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted branch names and uses them in sensitive system operations. Ingestion points: branch_name and from_branch parameters in SKILL.md. Boundary markers: None. Capability inventory: python3 subprocess execution, git command execution, and file system writes. Sanitization: Only replaces slashes with dashes; no escaping for shell or Python quote characters.

git-worktree