The Agent Skills Directory

[COMMAND_EXECUTION]: The skill interpolates variables like worktree paths and branch names directly into shell commands (e.g., rm -rf <PROJECT_HANDOFF_DIR>, git log ...<BRANCH_NAME>, git -C <WORKTREE_PATH>) without robust escaping or quoting. If these names contain shell metacharacters (e.g., semicolons, backticks, or dollar signs), it could lead to arbitrary command execution on the host machine.\n- [COMMAND_EXECUTION]: The Python scripts (dissolve_groups.py, list_workspace_groups.py) dynamically append directories from other skills to the system path (sys.path.insert(0, ...)) to import modules like handoff_config. This pattern of loading code from computed local paths is a security risk as it creates a dependency on the integrity of other skill directories.\n- [COMMAND_EXECUTION]: The skill instructions explicitly require the agent to use dangerouslyDisableSandbox: true for steps involving Lark API interactions. This configuration bypasses the security boundaries of the agent environment, granting the skill's scripts elevated access to the user's system and sensitive credentials.

rmwt