Skip to content

Subagent split + 45-skill description audit#18

Open
thejefflarson wants to merge 3 commits into
mainfrom
clarity/findings-for-non-security
Open

Subagent split + 45-skill description audit#18
thejefflarson wants to merge 3 commits into
mainfrom
clarity/findings-for-non-security

Conversation

@thejefflarson
Copy link
Copy Markdown
Owner

@thejefflarson thejefflarson commented May 17, 2026

Summary

Splits `/security-review` into a thin orchestrator skill + 5 named subagents and brings every skill description into line with the official Skill authoring best practices.

Subagent split (`.claude/agents/`)

Per the subagent docs, the stage prompts that were squeezed into the 600-word skill body now live as full agent files:

  • `threat-modeling` — Stage 0
  • `hotspot-mapping` — Stage 1 (now carries the skill catalog the orchestrator used to inline)
  • `design-review` — Stage 1b
  • `vulnerability-audit` — Stage 2 (dispatched once per ≤5-hotspot chunk)
  • `attack-chain-analysis` — Stage 3

Each agent file has its full system prompt, finding-style rules for non-security developers, worked examples, and an anti-injection guard. The orchestrator drops from 619 → 387 words of pure coordination logic plus a pipeline-progress checklist users can copy as they go.

Naming follows the noun-phrase (activity) form per the docs. `tools: Read, Glob, Grep` on all of them (read-only).

Description audit — all 45 skills

The Anthropic best-practices doc requires descriptions to include both what the skill does and when to use it, in third person. Soundcheck's existing descriptions covered "when" exhaustively but skipped "what". Each description now leads with a third-person summary:

  • `csrf`: "Detects forms and state-changing endpoints missing CSRF protection. Use when writing HTML forms..."
  • `injection`: "Detects SQL, command, and template injection caused by user input reaching an interpreter without parameterization. Use when writing code that constructs..."

…and 43 more in the same shape. Existing "Use when..." triggers unchanged — this just prepends the missing "what" sentence.

CLAUDE.md

  • Bump skill count 39 → 45.
  • Document the orchestrator/subagent split and the reload caveat (agent files require a session restart; `/reload-plugins` doesn't pick them up).
  • Update the description-authoring section to require the what+when format with examples.

What I didn't do

  • Did not rename `security-review` itself. Its name is locked in via the `/security-review` slash command — public API.
  • Did not add `"use proactively"` to agent descriptions. Our agents are explicitly invoked by the orchestrator, not auto-delegated; "use proactively" would risk them firing tangentially on user requests outside the pipeline flow.
  • Did not hardcode `model:` on agents. Subagents inherit the parent's model; hardcoding would override a user's `--model haiku` cost choice.

Test plan

  • `python scripts/validate-skills.py` → 45/45 pass
  • Word counts unchanged for the 45 skills (descriptions live in frontmatter, validator strips frontmatter)
  • Security-review orchestrator: 387 words (well under 600)
  • Smoke a sample skill auto-invocation with the new `Detects… Use when…` description format (Haiku, Sonnet)

Reviewer cheat sheet

  • Look at `csrf/SKILL.md` for a representative description rewrite (smallest diff).
  • Look at `vulnerability-audit.md` for the most substantive agent — has the finding-style guidance with good/bad examples that used to live in the squeezed orchestrator skill.
  • Look at `security-review/SKILL.md` for the new thin orchestrator + checklist pattern.

🤖 Generated with Claude Code

@thejefflarson @claude
Refactor /security-review into orchestrator + 5 subagents; audit all …
0f62ce6 
…45 skill descriptions

## Subagent split

Move the per-stage prompts out of `.claude/skills/security-review/SKILL.md`
and into `.claude/agents/`:

- `threat-modeling.md` — Stage 0
- `hotspot-mapping.md` — Stage 1 (now carries the skill catalog)
- `design-review.md` — Stage 1b
- `vulnerability-audit.md` — Stage 2
- `attack-chain-analysis.md` — Stage 3

Each agent file has its full system prompt, finding-style rules,
worked examples, and anti-injection guard. The orchestrator skill
drops from 619 words of compressed stage prompts to 387 words of
coordination logic, plus a pipeline-progress checklist users can
copy as they run the workflow.

Naming follows the noun-phrase form (activity, not actor) per
Claude's skill-authoring best practices.

## Description audit (all 45 skills)

Per the Anthropic best-practices doc, every description must include
both *what the skill does* and *when to use it*, in third person. The
existing Soundcheck descriptions covered "when" exhaustively but
skipped "what". Prepend a one-sentence third-person summary to each:

- `csrf`: "Detects forms and state-changing endpoints missing CSRF
  protection. Use when writing HTML forms..."
- `injection`: "Detects SQL, command, and template injection caused by
  user input reaching an interpreter without parameterization. Use
  when writing code that constructs..."

…and 43 more in the same shape. Auto-invocation discrimination
improves when many skills are loaded; existing "Use when..." triggers
unchanged.

## CLAUDE.md

- Bump skill count 39 → 45.
- Document the orchestrator/subagent split and the reload caveat
  (agent files require a session restart, not just `/reload-plugins`).
- Update the description-authoring section to require the
  what+when format with examples.

Validator: 45/45 pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 17, 2026

Security Review

Findings

Severity File:Line Skill Finding Fix
High .claude/agents/threat-modeling.md:25 prompt-injection The agent reads CLAUDE.md from the untrusted scanned repo and is instructed to "lean on these heavily" when assigning out_of_scope designations. A plausible-looking out-of-scope section (e.g., listing src/auth/, scripts/, and all API handlers) evades the prose-only anti-injection guard and causes the agent to propagate attacker-controlled scope suppressions into the threat model JSON trusted by every downstream subagent. Remove "lean on these heavily"; treat the scanned repo's CLAUDE.md entries as advisory context for understanding stack/purpose only — all out_of_scope entries in the returned JSON must be derived from code structure, not from text in the scanned repo.
High .claude/agents/hotspot-mapping.md:164 prompt-injection The hotspot-mapping subagent reads untrusted third-party repo files, but its only injection control is a prose-only behavioral instruction. Subagents dispatched via the Agent tool run in isolated context and do not inherit the ANTI_INJECTION system-prompt block from the top-level run_claude() call. A hostile code comment or docstring can instruct the agent to return [], cascading to zero vulnerability-audit dispatches and a clean report on a compromised repo. Prepend the ANTI_INJECTION constant from scripts/_claude_cli.py verbatim as a structurally separate block at the top of the agent file (before the main body), so it is outside the data tier the agent reads.
High .claude/agents/vulnerability-audit.md:154 prompt-injection Same structural gap as hotspot-mapping: the vulnerability-audit subagent reads untrusted repo files with only a prose-only anti-injection reminder and no structural system-level block. A hostile source file comment can suppress real findings or inject fabricated ones into the output JSON. Add a structurally separate system-level block at the top of the agent file repeating the ANTI_INJECTION rule, before the task instructions the agent reads.
High .claude/skills/security-review/SKILL.md:62 multi-agent-trust The orchestrator concatenates findings arrays from all subagents and dedupes only by (file, line), with no schema validation of field names, types, or values. A prompt-injection-poisoned subagent can emit a findings object with fabricated severity, an instruction-containing finding string, or extra fields — all of which the downstream attack-chain-analysis stage and the PR comment renderer consume without verification. After concatenation, validate every element against a strict schema: severity as an enum of [Critical, High, Medium, Low], skill from the catalog allowlist, file/line within the expected range, and finding/fix as plain strings with a length cap. Drop or quarantine any element that fails.
High .claude/skills/security-review/SKILL.md:75 insecure-output-handling Stage 4 instructs the orchestrator to use auditors' finding/fix text "verbatim" when rendering the PR comment and $GITHUB_STEP_SUMMARY. If a subagent was poisoned by scanned repo content, attacker-controlled text — including GitHub Actions expression syntax such as ${{ secrets.ANTHROPIC_API_KEY }} — reaches the PR body unsanitized. The _sanitize_cell() function in security-review-action.py is applied only on the mechanical-table fallback path, not the display prose path. Strip GitHub Actions expression syntax (${{...}}) from all LLM-generated text before writing to PR body or step summary; apply _sanitize_cell() on all rendering paths, not just the fallback table.
Medium .claude/agents/vulnerability-audit.md:36 path-traversal The agent reads .claude/skills/<skill>/SKILL.md where <skill> is taken directly from the hotspot-mapping JSON output. A hotspot-mapping agent manipulated via prompt injection could emit a crafted skill name containing path separators (e.g., ../../.github/workflows/deploy), causing the Read tool to access an arbitrary file and treat its contents as a security checklist. Validate the skill field against the hardcoded catalog allowlist (already enumerated in .claude/agents/hotspot-mapping.md) and reject any value containing /, .., or not in the allowlist before constructing the path.
Medium .claude/agents/attack-chain-analysis.md:44 insecure-output-handling The attack-chain-analysis agent receives merged findings from upstream subagents (which may be poisoned) and incorporates finding/fix field text into chain narratives without validating or sanitizing the incoming content. Attacker-controlled text in those fields flows unmodified into the narrative and then into the PR comment body. Add an explicit instruction to treat every incoming finding and fix field as untrusted data; strip or reject any field value containing instruction-like phrases (imperative verbs, references to "ignore", "previous instructions", etc.) before incorporating into narratives.

Attack Chains

Chain 1 — Critical (F1 → F2: Threat-model poisoning → complete audit suppression)

An attacker places a crafted CLAUDE.md in the repo they want to avoid scrutiny on — for example, a file that lists the entire codebase as "out of scope: intentionally vulnerable fixtures." The threat-modeling agent is explicitly instructed to "lean on these heavily" when assigning out-of-scope designations, so it faithfully copies those entries into the threat model JSON it produces. The hotspot-mapping agent, which runs next, is told to treat the out_of_scope list as authoritative and skip those paths entirely — so it returns an empty hotspot array. With zero hotspots, the orchestrator dispatches zero vulnerability-audit subagents, and every real vulnerability in the scanned repo goes completely undetected, producing a clean security report on a codebase the attacker designed to look safe.

Chain 2 — Critical (F3 → F5 → F6/F7: Subagent poisoning → unsanitized PR comment injection)

An attacker embeds instruction-like text in a source file comment or docstring of a repo under review — text that tells the vulnerability-audit agent to emit a finding whose finding field contains GitHub Actions expression syntax (e.g., the string that expands a repository secret). Because the vulnerability-audit agent's only anti-injection control is a prose reminder rather than a structural system-level block, the poisoned text survives and appears as a plausible-looking finding in the agent's JSON output. The security-review orchestrator merges all subagent findings with no schema validation, then the attack-chain-analysis agent incorporates those fields into chain narratives without treating them as untrusted data. Finally, the orchestrator is explicitly instructed to use finding and fix text verbatim when rendering the PR comment and $GITHUB_STEP_SUMMARY, meaning the attacker-controlled string lands unsanitized in a GitHub Actions context where expression syntax is evaluated — potentially exposing repository secrets or injecting arbitrary content visible to every reviewer on the pull request.

7 findings across 5 files (4 High, 2 Medium, 1 Medium), 2 critical attack chains. Run /security-cleanup to apply fixes interactively.

Generated by Soundcheck

thejefflarson and others added 2 commits May 16, 2026 23:46
@thejefflarson @claude
Move agents to plugin-spec location + wire --plugin-dir into test scr…
8659732 
…ipts

The agents were at `.claude/agents/` — a project-level location that
worked for in-repo dev but isn't discoverable when the plugin is
installed or loaded via `--plugin-dir`, per the docs:

> Plugin agents/ directories are also scanned recursively.

(https://code.claude.com/docs/en/sub-agents)

Moves them to `agents/` at the plugin root so they're picked up by:
- the installed plugin in interactive `/security-review`,
- `--plugin-dir <soundcheck>` in test scripts,
- and the same path on the action when it clones soundcheck.

End-to-end verified: ran security-review-action.py against a fixture
with a known SQL injection on haiku — orchestrator dispatched all 5
stages (threat-modeling → hotspot-mapping → design-review +
vulnerability-audit → attack-chain-analysis) by bare name (plugin
skills resolve their own sibling agents without the namespace prefix
when loaded via --plugin-dir), produced findings table with the new
severity legend, attack chain narrative, and Critical SQLi catch.

## Script changes

- `_claude_cli.run_claude`: new `plugin_dir` kwarg → `--plugin-dir`.
- `security-review-action.py`: derives `plugin_dir` from the
  `--skill-path` so the action also picks up agents when run against
  third-party repos. Skill-path is now `.../plugin/.claude/skills/
  security-review/SKILL.md`; plugin root is four parents up.
- `benchmark-eval.py`: passes `plugin_dir=ROOT` (the soundcheck repo)
  for the `security-review` test only; the other two skills are still
  inline analysis and don't dispatch subagents.
- `smoke-test-skills.py`: skips `security-review` in `find_all_skills()`
  — it's an orchestrator, not a per-skill detector, and the smoke test
  arm runs with `disable_tools=True`. End-to-end coverage comes from
  benchmark-eval and the GitHub Action self-test.

## CLAUDE.md

- Updates path references `.claude/agents/` → `agents/` throughout.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@thejefflarson @claude
benchmark-eval: bump security-review budget and timeout
1c98b3a 
After the subagent split, /security-review fans out into 5+ Claude
sessions (threat-modeling, hotspot-mapping, design-review,
vulnerability-audit × N, attack-chain-analysis). All of them bill
against the same --max-budget-usd envelope on the parent invocation,
so the $1 default from run_claude got the orchestrator killed
mid-pipeline on every repo:

  calcom x security-review: ERROR claude exited with code 1:
    Error: Exceeded USD budget (1)

And the 1200s (20 min) timeout was already tight pre-refactor; with
the new architecture's sequential stages it timed out on redash and
gitea before producing output.

For security-review specifically, raise the budget to $10 and the
timeout to 40 min. hotspots and threat-model remain inline reviews
and keep the $1 / 20 min defaults — they don't dispatch subagents.

Caught by re-running the benchmark; previously masked by the
inline-everything orchestrator architecture.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 17, 2026

Security Review

Findings

Severity File:Line Skill Finding Fix
High scripts/security-review-action.py:116 integrity-failures parse_findings() validates only that the outer value is a list; no field-level schema is applied. The file, skill, severity, and finding fields flow unvalidated into the autofix prompt and into path construction, enabling traversal or injection through any LLM response that deviates from the expected shape. After parse_findings() returns, validate each finding: severity must be in SEVERITY_ORDER; file must resolve inside repo_dir via Path.resolve().relative_to(); skill must match re.fullmatch(r'[a-z][a-z0-9-]{0,48}', ...) against the known catalog; cap finding/fix fields at 2000 chars. Drop findings that fail.
High scripts/security-review-action.py:450 path-traversal The cleanup_prompt tells the Edit-capable cleanup agent to open {SKILLS_DIR}/<skill>/SKILL.md where <skill> is substituted at agent-runtime from LLM findings that originated from untrusted repo review. A skill value of ../../.github/workflows/deploy would cause the agent to read or write outside SKILLS_DIR, with no canonicalization check anywhere in the pipeline. Before writing autofix_findings to the temp file, allowlist each skill against {p.name for p in SKILLS_DIR.iterdir() if p.is_dir()}. Drop findings with unrecognized skill names.
High scripts/security-review-action.py:462 excessive-agency The autofix agent receives allowed_tools="Read,Grep,Glob,Edit" scoped to the entire repo_dir and is instructed to "apply every fix without asking for confirmation." Because finding text originates from an LLM review of untrusted third-party code, a prompt-injection payload embedded in a comment could survive into autofix_findings and redirect the agent to overwrite arbitrary files — including CI workflow files. Restrict the Edit tool to only the specific files named in autofix_findings by invoking a separate scoped agent per file, or by building a per-invocation path allowlist and asserting each Edit stays within it.
Medium scripts/security-review-action.py:264 insecure-plugin-design When skill_path resolves inside repo_dir, a warning is printed but execution continues; the tainted skill file is then read at line 270 and used verbatim as the reviewer's system prompt. In a self-review scenario or CI configuration where the plugin checkout is the scan target, a malicious PR that rewrites .claude/skills/security-review/SKILL.md fully controls the reviewer's instructions. Replace the warning with a hard error: if skill_in_repo: print("ERROR: skill file inside repo under review; aborting."); sys.exit(2). Provide --allow-skill-in-repo as an explicit opt-in escape hatch for trusted self-review workflows.
Medium scripts/security-review-action.py:362 insecure-output-handling print(f"\n{display}\n") writes raw LLM-generated text (sourced from untrusted repo content) to stdout without sanitizing GitHub Actions workflow command syntax. Lines beginning with :: (e.g. ::set-env name=AWS_KEY::secret) are interpreted by the Actions runner as commands, allowing an adversarially crafted repo to set environment variables or mask subsequent secrets. Strip or percent-encode :: prefixes before printing: safe = re.sub(r'^::', '%3A%3A', display, flags=re.MULTILINE). Same fix applies to cleanup_response at line 472.
Medium scripts/security-review-action.py:446 insecure-design The cleanup_prompt embeds findings_path (a temp file containing LLM-derived file fields) without first verifying that every finding's file resolves within repo_dir. The Edit-capable agent can therefore be directed to modify files outside the intended repository boundary if a finding carries a path-traversal value. Before writing autofix_findings to the temp file, resolve each finding["file"] against repo_dir and drop any entry where (repo_dir / finding["file"]).resolve() is not relative to repo_dir.resolve().
Medium scripts/security-review-action.py:472 insecure-output-handling print(cleanup_response) emits the raw cleanup agent response to stdout. This response is influenced by findings text from untrusted repo review and carries the same GitHub Actions workflow command injection risk as line 362. Apply the same :: prefix sanitization (see line 362 fix) before printing cleanup_response.
Medium scripts/security-review-action.py:482 insecure-local-storage _write_summary() creates a temp file via tempfile.mkstemp() without specifying mode, leaving permissions umask-dependent (potentially 0644 on misconfigured CI runners). The file contains the full PR security-findings summary. The same issue exists at line 439 for the findings JSON passed to the autofix agent. After tempfile.mkstemp(), call os.chmod(path, 0o600) before writing. Apply to both the summary temp file (line 482) and the autofix findings temp file (line 439).
Medium scripts/security-review-action.py:525 insecure-design Path(args.audit_log).write_text(...) writes to a caller-supplied path with no validation that it resolves within an expected output directory. On a shared CI runner with write permissions, a misconfigured --audit-log argument (or injection into the invocation command) could overwrite arbitrary files such as /etc/cron.d/soundcheck or workspace configuration files. Validate Path(args.audit_log).resolve().is_relative_to(repo_dir) (or a designated logs dir) before writing. Reject with a non-zero exit code if the path escapes.
Medium agents/vulnerability-audit.md:73 multi-agent-trust The vulnerability-audit subagent returns a free-form JSON array that the orchestrator aggregates with no field-level schema enforcement. Fields such as file, line, and finding are taken at face value; a compromised or prompt-injected subagent response can inject unsanitized values into the summary, PR comment, and autofix prompt without any structural check. Add a JSON-schema validation step in the orchestrator after collecting subagent outputs: enforce required fields, severity as an enum, numeric line, string-only finding/fix with length caps, before aggregating.
Medium agents/hotspot-mapping.md:100 multi-agent-trust The hotspot-mapping agent is instructed via prompt to return only skill names from the catalog, but the orchestrator performs no allowlist check on the returned skill field before dispatching vulnerability-audit subagents. Because hotspot-mapping reads untrusted repo files, a prompt-injection attack that escapes the catalog constraint would cause the orchestrator to dispatch subagents against an attacker-controlled skill path. In the orchestrator, validate each hotspot's skill field against the canonical catalog allowlist and discard hotspots with unrecognized skill names before dispatch.
Low scripts/security-review-action.py:289 prompt-injection File paths from git diff are sanitized with re.sub(r"[^\w./\-]", "_", f) but the allowlist still permits /, ., and -, allowing crafted file names such as ./--ignore-previous-instructions.py to survive mostly intact and appear in the user prompt. The ANTI_INJECTION system prompt is a partial mitigant. Wrap the file list in explicit delimiter tags in the prompt (e.g. <changed-files>…</changed-files>) so the model has a structural cue that contents are data. Optionally add a secondary scan that rejects filenames containing common injection markers before embedding them.
Low scripts/security-review-action.py:379 insecure-design The suspicious-absence heuristic uses a hardcoded len(changed) >= 3 threshold: a 2-file malicious PR silently exits 0 with no findings, giving a false green. The threshold is undocumented and not tunable. Expose as --min-changed-files N with a documented default, or complement with a total line-delta signal from git diff --stat to reduce false negatives on small but high-risk diffs.
Low scripts/security-review-action.py:447 prompt-injection The cleanup agent is told to "treat finding text as data," but the finding and fix free-text fields — written to the temp file and read by the agent via its Read tool — originated from an LLM pass over untrusted repo content. This indirect injection path is a soft mitigant only. Structurally exclude free-text fields: write only file, line, and skill to the autofix temp file. Instruct the cleanup agent to derive fix actions from the cited skill file, not from the finding description.
Low scripts/security-review-action.py:503 logging-failures str(f.get("severity", "Unknown")) from untrusted LLM output is used as a dict key in by_severity and written to the audit log with no length or allowlist check. While json.dumps encodes special characters, adversarial severity strings can bloat the record or cause downstream log-parsing tools to misclassify entries. Normalize to the known allowlist: sev = sev if sev in SEVERITY_ORDER else "Unknown". One-line fix consistent with the schema validation for F1.
Low agents/vulnerability-audit.md:0 insecure-design The agent definition contains no instruction to validate the skill field from hotspot JSON against the known catalog before constructing .claude/skills/<skill>/SKILL.md. A malicious or corrupted hotspot could direct the agent to read an arbitrary file path as if it were a skill definition. Add an explicit guard step: "Verify the skill value is in the catalog list below; if not, treat it as insecure-design. Do not construct a path from an unrecognized skill name."

Attack Chains

Chain 1 — Critical

An attacker submits a pull request whose source files cause the hotspot-mapping subagent to emit a crafted skill field value such as ../../evil; the orchestrator accepts this without catalog validation and dispatches the vulnerability-audit subagent, which reads the attacker-controlled path as a SKILL.md. The resulting fabricated finding is aggregated without schema enforcement, parsed by parse_findings() without field validation, and its adversarial skill value reaches the autofix cleanup_prompt as SKILLS_DIR/../../evil/SKILL.md. Because the cleanup agent holds unrestricted Edit access across the entire repository with no per-file allowlist and no confirmation step, it follows the traversal path and overwrites arbitrary files on the CI runner — potentially including workflow definitions, deploy scripts, or credential files checked out alongside the code.

Chain 2 — High

A malicious PR introduces a file whose path survives the [^\w./\-] regex sanitization, embedding instruction markers that appear in the LLM's user prompt; the reviewer LLM generates a finding whose free-text fields contain injected instructions. Those fields pass through parse_findings() without validation and are written verbatim into the autofix temp file. The cleanup agent reads the temp file via its Read tool and, acting on the injected instructions rather than the legitimate skill guidance, uses its unrestricted Edit access to make attacker-directed modifications to the repository.

Chain 3 — High

When the soundcheck action is invoked on a repository that contains an attacker-modified SKILL.md at the auto-detected skill path, skill_path resolves inside repo_dir and the code emits only a warning before using the tainted file as the LLM reviewer's system prompt. If autofix is also enabled, the poisoned system prompt now controls the cleanup agent, which holds unrestricted Edit access to the checked-out repository, allowing the attacker-controlled skill content to redirect the agent to overwrite any file in the CI workspace.

Chain 4 — Medium

A repository under review contains strings or code that cause the LLM reviewer to emit GitHub Actions workflow command syntax (e.g. ::set-env name=TOKEN::stolen) in its response; this text is printed to stdout without sanitization after the review, and again when the autofix cleanup response is printed. An attacker who can predict or steer review output can thereby inject arbitrary workflow commands into the CI job's stdout stream, setting environment variables for subsequent steps, masking secrets from log output, or influencing the Actions runner state.

Chain 5 — Medium

The temporary file holding serialized findings is created without restrictive permissions, leaving it world-readable on a misconfigured or multi-tenant CI runner; a co-resident process can read the findings JSON to learn vulnerability details about the scanned repository, or — if it has write access to /tmp — can overwrite the file with adversarial finding objects before the autofix agent reads it. The cleanup agent then processes the tampered findings using its unrestricted Edit access, turning a file-permission weakness into arbitrary code modification in the repository.

Summary: 16 findings across scripts/security-review-action.py, agents/vulnerability-audit.md, and agents/hotspot-mapping.md — 3 High, 6 Medium, 7 Low — with 5 attack chains including one Critical chain that chains unvalidated subagent output through a lack of path-traversal checks into unrestricted Edit-tool access on the CI runner.

Run /security-cleanup to apply fixes interactively.

Generated by Soundcheck

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@thejefflarson