The Agent Skills Directory

Dynamic Execution (MEDIUM): The script launch-agent.sh constructs a shell command string (INNER_CMD) using variables that may contain malicious shell metacharacters and executes them in new terminal sessions (Ghostty, iTerm2, tmux, etc.).
Evidence: In launch-agent.sh, variables like $WORKTREE_PATH, $BRANCH, and $TASK are placed inside single quotes within a double-quoted string. If these variables contain a single quote, they can break out of the intended command structure and execute arbitrary shell code.
Indirect Prompt Injection (LOW): The skill ingests untrusted data from external sources that could be used to trigger the aforementioned command injection vulnerability.
Ingestion points: Branch names and project names are read from the Git environment and the filesystem in launch-agent.sh, status.sh, and cleanup.sh. PR metadata is fetched from GitHub via the gh CLI in sync.sh.
Boundary markers: Absent. External data is used directly in string interpolation for shell commands.
Capability inventory: The skill has the ability to run arbitrary shell commands (open, osascript, tmux), delete directories (rm -rf), and kill system processes (kill -9).
Sanitization: Absent. While some scripts use tr to slugify branch names, others use the raw branch name in command construction.
Unverifiable Dependencies & Remote Code Execution (LOW): The skill relies on external binaries like jq, gh (GitHub CLI), and uuidgen. While these are standard tools, the scripts do not verify their integrity or presence beyond a simple command -v check.
Data Exposure & Exfiltration (SAFE): The skill accesses a local registry file at ~/.claude/worktree-registry.json and standard environment variables. No evidence of data exfiltration to unauthorized domains was detected; network activity is restricted to GitHub via the gh tool.

worktree-manager