The Agent Skills Directory

[COMMAND_EXECUTION]: Shell command injection vulnerability in scripts/launch-agent.sh. The script uses AppleScript to launch terminal sessions in iTerm2, interpolating the WORKTREE_PATH variable directly into a shell command string: write text "cd '$WORKTREE_PATH' && ...". Because the variable is wrapped in single quotes but not escaped, a worktree path containing a single quote followed by shell commands would result in arbitrary execution.\n- [COMMAND_EXECUTION]: jq filter injection in cleanup.sh, register.sh, status.sh, and launch-agent.sh. These scripts interpolate variables like PROJECT, BRANCH, and WORKTREE_PATH directly into jq filter strings using double quotes. An attacker could craft a malicious project or branch name with escaped double quotes to manipulate the logic of registry operations, potentially leading to unauthorized modification or corruption of the ~/.claude/worktree-registry.json file.\n- [PROMPT_INJECTION]: Indirect prompt injection through unvalidated template substitution. The skill substitutes branch and project names into templates used to prompt newly launched Claude agent instances. These values are derived from the local git environment without sanitization or boundary markers, allowing a malicious repository with a crafted branch name to influence the instructions given to the launched agent instance.

worktree-manager