worker-dispatch

[Skill Scanner] Backtick command substitution detected All findings: [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] The script's purpose (spawn and manage ephemeral worker agents for GitHub issues) matches its implementation, but it contains dangerous operational choices: notably codex exec with --dangerously-bypass-approvals-and-sandbox plus broad allowedTools and lack of resource/credential scoping. These make the orchestration high-risk: a worker (malicious or compromised) could execute arbitrary commands in the repository, create or modify PRs, and potentially exfiltrate sensitive data via GitHub or outbound network calls. I find no direct, hardcoded malicious payload, but the design is suspicious from a supply-chain security perspective and should be treated with caution — restrict sandbox bypass, narrow tool permissions, add approval gates, and tightly scope credentials and environment access before use. LLM verification: The skill's stated purpose (spawn isolated, ephemeral workers per issue) matches many implemented behaviors (worktrees, GitHub comments, worker processes). However, there are significant security concerns: codex is invoked with an explicit sandbox/approval bypass flag, allowedTools include broad wildcard permissions and network access, and prompts can embed arbitrary local context which becomes visible to the worker and to GitHub comments (persistent sink). These factors create realistic exfiltr