{"id":"755d2d48-c39b-4eba-adc8-d78fc4c5890d","shortId":"ccbZY9","kind":"skill","title":"safe-worktree-slug-validation","tagline":"Ensure Git worktree slugs can never escape the managed workspace or inject traversal.","description":"# SKILL: Safe Worktree Slug Validation\n**Domain:** git-worktree\n**Trigger:** Apply this when accepting user-provided prefixes for enter worktree and you need to guarantee no path traversal or invalid chars slip into the worktree directory.\n**Source Pattern:** Distilled from reviewed permission, shell-safety, and worktree-management implementations.\n\n## Core Method\nSplit a slug on `/`, reject segments that are empty, `.` or `..`, or contain characters outside a za z0 9, and enforce a maximum combined length before joining the cleaned segments into a deterministic branch name and path. Perform this validation synchronously before invoking any git commands so the CLI never creates directories outside claude worktrees.\n\n## Key Rules\n- Validate each `/`-separated segment independently so user evil and similar mashups fail early.\n- Enforce a total length cap (e.g., 64 chars) before `git worktree add` to prevent excessively long refs or paths.\n- Reject slugs with leading/trailing slashes or repeated `..` segments even when a normalization would neutralize them.\n- Run this check before any git fetch, mkdir, or hook execution to avoid partial side effects.\n\n## Example Application\nAny agent producing a worktree name for a release hotfix can reuse this skill: call the validator on the proposed slug, surface a concise error message if it fails, and refuse to call `git worktree add` until the slug is safe.\n\n## Anti-Patterns (What NOT to do)\n- Do not rely on `git worktree add` to detect traversal; it may silently create directories in unexpected locations.\n- Do not treat slugs as a single string (e.g., foo bar) without splitting, because multi-segment checks are necessary.\n- Avoid waiting until after `mkdir` or config changes—the validation must run before any side effects.","tags":["safe","worktree","slug","validation","cskill","agents","ychampion","agent-skills","ai-agents","cli","coding-agents","context-engineering"],"capabilities":["skill","source-ychampion","skill-safe-worktree-slug-validation","topic-agent-skills","topic-ai-agents","topic-cli","topic-coding-agents","topic-context-engineering","topic-developer-tools","topic-mcp","topic-multi-agent","topic-terminal-ui"],"categories":["cskill-agents"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/ychampion/cskill-agents/safe-worktree-slug-validation","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add ychampion/cskill-agents","source_repo":"https://github.com/ychampion/cskill-agents","install_from":"skills.sh"}},"qualityScore":"0.467","qualityRationale":"deterministic score 0.47 from registry signals: · indexed on github topic:agent-skills · 34 github stars · SKILL.md body (1,790 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-22T00:56:55.775Z","embedding":null,"createdAt":"2026-04-18T22:21:12.567Z","updatedAt":"2026-04-22T00:56:55.775Z","lastSeenAt":"2026-04-22T00:56:55.775Z","tsv":"'64':147 '9':89 'accept':32 'add':152,228,247 'agent':194 'anti':235 'anti-pattern':234 'appli':29 'applic':192 'avoid':187,279 'bar':269 'branch':104 'call':207,225 'cap':145 'chang':286 'char':50,148 'charact':84 'check':177,276 'claud':124 'clean':99 'cli':119 'combin':94 'command':116 'concis':216 'config':285 'contain':83 'core':70 'creat':121,254 'detect':249 'determinist':103 'directori':55,122,255 'distil':58 'domain':24 'e.g':146,267 'earli':140 'effect':190,294 'empti':80 'enforc':91,141 'ensur':6 'enter':38 'error':217 'escap':12 'even':168 'evil':135 'exampl':191 'excess':155 'execut':185 'fail':139,221 'fetch':181 'foo':268 'git':7,26,115,150,180,226,245 'git-worktre':25 'guarante':44 'hook':184 'hotfix':202 'implement':69 'independ':132 'inject':17 'invalid':49 'invok':113 'join':97 'key':126 'leading/trailing':163 'length':95,144 'locat':258 'long':156 'manag':14,68 'mashup':138 'maximum':93 'may':252 'messag':218 'method':71 'mkdir':182,283 'multi':274 'multi-seg':273 'must':289 'name':105,198 'necessari':278 'need':42 'neutral':173 'never':11,120 'normal':171 'outsid':85,123 'partial':188 'path':46,107,159 'pattern':57,236 'perform':108 'permiss':61 'prefix':36 'prevent':154 'produc':195 'propos':212 'provid':35 'ref':157 'refus':223 'reject':76,160 'releas':201 'reli':243 'repeat':166 'reus':204 'review':60 'rule':127 'run':175,290 'safe':2,20,233 'safe-worktree-slug-valid':1 'safeti':64 'segment':77,100,131,167,275 'separ':130 'shell':63 'shell-safeti':62 'side':189,293 'silent':253 'similar':137 'singl':265 'skill':19,206 'skill-safe-worktree-slug-validation' 'slash':164 'slip':51 'slug':4,9,22,74,161,213,231,262 'sourc':56 'source-ychampion' 'split':72,271 'string':266 'surfac':214 'synchron':111 'topic-agent-skills' 'topic-ai-agents' 'topic-cli' 'topic-coding-agents' 'topic-context-engineering' 'topic-developer-tools' 'topic-mcp' 'topic-multi-agent' 'topic-terminal-ui' 'total':143 'travers':18,47,250 'treat':261 'trigger':28 'unexpect':257 'user':34,134 'user-provid':33 'valid':5,23,110,128,209,288 'wait':280 'without':270 'workspac':15 'worktre':3,8,21,27,39,54,67,125,151,197,227,246 'worktree-manag':66 'would':172 'z0':88 'za':87","prices":[{"id":"888a82b0-08b7-418b-ad78-c0216965ea43","listingId":"755d2d48-c39b-4eba-adc8-d78fc4c5890d","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"ychampion","category":"cskill-agents","install_from":"skills.sh"},"createdAt":"2026-04-18T22:21:12.567Z"}],"sources":[{"listingId":"755d2d48-c39b-4eba-adc8-d78fc4c5890d","source":"github","sourceId":"ychampion/cskill-agents/safe-worktree-slug-validation","sourceUrl":"https://github.com/ychampion/cskill-agents/tree/main/skills/safe-worktree-slug-validation","isPrimary":false,"firstSeenAt":"2026-04-18T22:21:12.567Z","lastSeenAt":"2026-04-22T00:56:55.775Z"}],"details":{"listingId":"755d2d48-c39b-4eba-adc8-d78fc4c5890d","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"ychampion","slug":"safe-worktree-slug-validation","github":{"repo":"ychampion/cskill-agents","stars":34,"topics":["agent-skills","ai-agents","cli","coding-agents","context-engineering","developer-tools","mcp","multi-agent","terminal-ui"],"license":"mit","html_url":"https://github.com/ychampion/cskill-agents","pushed_at":"2026-04-04T14:13:23Z","description":"Agent skills for coding CLIs, multi-agent runtimes, context engines, MCP extensions, and terminal tooling. Instead of using claude code's source code, give your agent skills to create your own!","skill_md_sha":"a810390a4196dd0fc8e67a13cc82dc748413d4cf","skill_md_path":"skills/safe-worktree-slug-validation/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/ychampion/cskill-agents/tree/main/skills/safe-worktree-slug-validation"},"layout":"multi","source":"github","category":"cskill-agents","frontmatter":{"name":"safe-worktree-slug-validation","description":"Ensure Git worktree slugs can never escape the managed workspace or inject traversal."},"skills_sh_url":"https://skills.sh/ychampion/cskill-agents/safe-worktree-slug-validation"},"updatedAt":"2026-04-22T00:56:55.775Z"}}