analyze-code

The skill's purpose (deep code analysis via a consultant subagent) is legitimate, but the implementation as described lacks critical operational safeguards. Main risks are supply-chain (downloading/executing an unspecified subagent), data-exfiltration of repository secrets (broad file gathering without redaction), and unclear network behavior or provenance for any external tooling. Mitigations: pin and verify subagent binaries and versions, restrict file gather scope or require explicit allowlist, implement redaction of secrets, require user confirmation for sensitive paths, and document network endpoints and telemetry policies before execution.