bug-blitz

This workflow is functionally appropriate for parallelized bug fixing and contains no direct evidence of obfuscated or intentionally malicious code within the fragment reviewed. However, it creates a significant supply-chain/trust surface: spawned subagents and the /fix-bug skill receive full access to repository worktrees and available credentials and can perform networked side effects (pushes, PRs, API calls). That transitive trust makes this workflow a medium-to-high operational risk unless controls are applied: restrict and audit the /fix-bug skill, provision least-privilege credentials, require per-PR human review or independent PR verification before cleanup, and log/monitor subagent activity. Treat this module as safe-to-use only with those mitigations in place.