The Agent Skills Directory

[COMMAND_EXECUTION]: The skill documents a hook system where shell commands (e.g., post_create, post_checkout) are executed automatically during worktree operations. These hooks can be defined in a repository-level .wt.toml file, which allows a malicious repository to execute arbitrary code on the agent's system when worktree tasks are performed.
[PROMPT_INJECTION]: The agent is instructed to use commands like wt ls, wt status, wt pr, and wt mr, which ingest external data such as branch names, PR titles, and MR descriptions. This creates a surface for indirect prompt injection where malicious instructions hidden in these fields could influence the agent's behavior. Ingestion points: External data is ingested via wt ls, wt status, wt pr, and wt mr outputs as described in SKILL.md. Boundary markers: The instructions do not specify the use of delimiters or 'ignore instructions' warnings for the ingested data. Capability inventory: The agent has the capability to execute shell commands and modify the file system. Sanitization: No sanitization or validation of the ingested external metadata is mentioned.

wt