The Agent Skills Directory

[COMMAND_EXECUTION]: Helper scripts are vulnerable to command injection via shell variable interpolation. In scripts/launch-agent.sh, the use of an unquoted heredoc (cat > "$TEMP_SCRIPT" << SCRIPT) allows for command substitution if variables like $BRANCH or $TASK contain shell meta-characters. Additionally, the SKILL.md file uses the !command syntax to execute shell commands like git status and cat ~/.claude/worktree-registry.json automatically at skill load time to populate the agent's state.
[REMOTE_CODE_EXECUTION]: The skill's primary function involves generating and executing shell scripts to launch new terminal sessions. It explicitly mandates the --dangerously-skip-permissions flag for these sessions, which enables fully autonomous agent behavior and bypasses standard security prompts.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8).
Ingestion points: The agent is instructed to read the WORKTREE_TASK.md file created in each new worktree as specified in SKILL.md and reference/agent-launching.md.
Boundary markers: The generated WORKTREE_TASK.md lacks delimiters or specific instructions for the agent to ignore embedded commands.
Capability inventory: The launched agents are configured with the --dangerously-skip-permissions flag, allowing them to perform autonomous file writes and shell execution via the Bash tool.
Sanitization: There is no sanitization of the branch names or task descriptions before they are written to the WORKTREE_TASK.md file.

worktree-manager