project-analyze

This orchestration code is not overtly malicious code, but it represents a medium-high supply-chain data-exfiltration risk. It composes prompts that require scanning the repository, uses external LLM CLIs inside agents, and writes raw exploration outputs which are later embedded and sent to analysis agents. Without safeguards (allowlists, redaction, script integrity checks, minimal scope, and explicit policies preventing secrets export), using this module in sensitive projects can leak credentials or proprietary code to third parties. Recommend blocking or instrumenting agent-executed scans, applying strict allowlists/redaction before writing or sending outputs, verifying helper script integrity, and avoiding automatic remote LLM calls with raw project data.