shapeup

This file is a clear orchestration manifest for the ShapeUp workflow and on its face implements benign project-facilitator functionality. However, its insistence on immediately and autonomously executing a set of undefined, black-box commands combined with broad filesystem scanning raises an elevated supply-chain risk. The code as provided does not include explicit malicious payloads, but the invocation pattern could allow a compromised sub-command to exfiltrate data or access credentials. Recommended mitigations: require explicit per-command user consent before execution (especially for first run), restrict scans to an explicit project path (avoid broad projects/ enumeration by default), implement dry-run and overwrite-detection modes, and make the implementations of /frame-coach, /shape, /plan, /breakdown, /hillchart auditable and executed with least privilege and network restrictions. With those controls, the practical security risk is much lower.