impl-do

The skill describes a structured orchestrator pattern that delegates implementation and review tasks to subagents using a file-based communication channel. This is coherent with its stated purpose and presents a low exposure profile since data largely remains within a controlled local workspace (plan.json, memory.md, mail/). There is a reasonable per-task review cycle to mitigate autonomous execution risk. No unverifiable binaries or external data exfiltration mechanisms are described, and there are no evident credential-handling requirements beyond standard task data. Overall, the design is benign with respect to the stated purpose, though careful access controls on the mail/ and plan.json/memory.md paths are advisable to prevent leakage of task details.

The document is an orchestration policy that by itself is not executable malware and contains no explicit malicious primitives. However, the automation model—fresh subagents with broad repo access, automatic doc propagation, and automated commits combined with a 'NEVER stop mid-workflow' rule—creates a moderate-to-significant operational supply-chain risk. If subagents or input artifacts are untrusted or compromised, the orchestrator can be induced to read secrets, inject malicious code, or commit backdoors. Introduce human approval gates, secrets scanning, least-privilege execution, and audit/diff reviews before committing or updating global docs to mitigate risks.