The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill creates an attack surface where architectural decisions and task descriptions are shared between independent Claude instances.
Ingestion points: Untrusted data enters the agent context through the .claude/coordination/registry.json file, specifically the decisions_log and task fields.
Boundary markers: Absent. The skill does not implement delimiters or system-level instructions to ignore potential commands embedded within shared decisions.
Capability inventory: The skill possesses powerful capabilities including Bash execution and Write access to the filesystem.
Sanitization: Absent. There is no evidence of sanitization or validation of the free-text strings pulled from the shared registry before they are presented to the agent.
Command Execution (SAFE): The skill uses Bash and standard Git operations to manage worktrees. These operations are consistent with the primary purpose of the skill and do not involve suspicious privilege escalation or obfuscated commands.

worktree-coordination