security-scanning-security-hardening

This skill orchestrates a powerful, multi-agent security hardening workflow that legitimately requires broad access to code, infrastructure, and secrets. The core purpose aligns with the described capabilities, but the workflow as written lacks several important safety controls: explicit scoping of targets, restricted and auditable endpoints for reports and artifacts, pinned/trusted tool sources, least-privilege role definitions, and per-action authorization for invasive steps (penetration testing, infra changes, secret rotations). These gaps create realistic supply-chain and credential-forwarding risks, and enable autonomy-abuse if an agent or subagent is compromised. The artifact is not itself obviously malicious (no obfuscation or embedded credential exfiltration endpoints), but it carries medium-to-high operational risk unless implemented with strict governance, trusted toolchains, pinned versions, and explicit data-flow constraints.