The Agent Skills Directory

[DATA_EXFILTRATION]: The skill programmatically searches for and accesses sensitive environment configuration files. * Evidence: The copy_env_files function in scripts/worktree-manager.sh (lines 32-70) identifies and reads all files matching the .env* pattern in the repository root. * Evidence: SKILL.md explicitly promotes this behavior as a feature: 'Automatic .env file copying from main repo to new worktrees'. * Context: While intended to facilitate setup, this behavior automates the access and duplication of sensitive credentials like API keys.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through unvalidated branch names. * Ingestion points: The script accepts branch and worktree names as command-line arguments ($1, $2) in scripts/worktree-manager.sh, which may originate from untrusted sources like pull requests. * Boundary markers: No explicit boundary markers or ignore instructions are used to separate user data from commands. * Capability inventory: The skill executes mkdir, cp, and git worktree add (in scripts/worktree-manager.sh) which can be exploited if paths are manipulated. * Sanitization: The script does not validate or sanitize inputs against path traversal characters (e.g., ../), allowing a malicious branch name to potentially redirect file operations or directory creation to unintended locations.

git-worktree