delegate-agent

The delegate-agent skill's architecture (creating repository branches, writing job prompts to git, and triggering GitHub Actions that run sub-agents) is powerful but risk-prone. The most significant issues are credential forwarding (sub-agents inherit parent API keys and permissions), CI execution of potentially untrusted content, and storing prompts in the repo. These introduce realistic avenues for secret leakage, arbitrary command execution in CI, and supply-chain/transitive attacks. The behavior is not inherently malware, but it is high-risk by design unless strict mitigations are added: least-privilege scoped credentials, ephemeral tokens, strict input validation/whitelisting, CI job restrictions (no secret access for untrusted branches), network egress controls, and secure logging practices. Without those controls, deploying this skill in a privileged environment could lead to credential theft or repository compromise.