How Sub‑Agents Empower AI Code Review and Boost Security
This guide explains the Sub‑Agent concept used in AI coding tools, shows why it solves context‑loss problems, and walks through a concrete PHP security review example with Claude Code, including agent configuration, execution steps, and a detailed vulnerability report.
What Is a Sub‑Agent?
Sub‑Agent is a popular multi‑agent implementation used by AI programming tools such as Claude Code, Cursor, and GitHub Copilot, where a large AI (the Main Agent) acts as a project manager and delegates specific tasks to specialized child AIs (Sub‑Agents).
Why Use Sub‑Agents?
When using Claude, Cursor, Aider, etc., developers often encounter the "forgetting" problem: after the model performs several tasks, the context becomes cluttered with intermediate diffs, error logs, and discarded code, causing the model to lose track of the original requirements, architecture, and security constraints. Sub‑Agents isolate each concern, keeping the main context clean.
Project Application
Tinywan applied Sub‑Agents in a backend PHP project to let Claude Code review a newly written authentication module for security issues.
1. Create Vulnerable Code
The sample auth.php file contains two security problems: hard‑coded credentials and an insecure JWT generation that only returns a timestamp.
<?php
/**
* @desc Auth.php
* @author Tinywan(ShaoBo Wan)
*/
declare(strict_types=1);
// Hard‑coded KEY, SECRET
const APP_KEY = 'Tinywan';
const APP_SECRET = 'Tinywan';
// Simple token generation
function generate_token(int $userId): string {
$timestamp = time();
return base64_encode((string)$timestamp);
}2. Create a Code‑Review Sub‑Agent
A read‑only Sub‑Agent configuration file tinywan-code-reviewer.md is created with the following content:
---
name: tinywan-code-reviewer
description: 检查代码变更的质量、安全性以及最佳实践。在代码修改后主动使用。
tools: Read, Grep, Glob, Bash
model: sonnet
---
你是一位资深代码审查工程师,精通安全领域和软件工程最佳实践。
## 被调用时的执行步骤
1. **识别变更**:执行 `git diff` 或读取指定的文件
2. **分析代码**:按照多个维度进行检查
3. **报告问题**:按严重程度分类
## 审查维度
### 安全(最高优先级)
- 硬编码密钥/凭据/密码
## 输出格式(必须严格遵循)
### 严重问题(Critical Issues)
- [文件:行号] 问题描述
- 为什么重要(安全/法律/稳定性等)
- 建议修复方案
### 总结
- 总计问题数:X 个
- 严重:X | 警告:X | 建议:X
- 整体风险评估:高 / 中 / 低3. Run the Review
In the project directory, the following command is entered into Claude Code:
让 tinywan-code-reviewer 审查 src/ 目录下的所有代码The tinywan-code-reviewer Sub‑Agent is automatically activated.
4. Review Report
After execution, Claude Code returns a detailed report similar to the one below:
审查结果总览
审查范围: src/ 目录(1 个 PHP 文件)
整体风险评估: 🔴 高风险
关键发现
严重问题(2个,必须立即修复)
1. 硬编码敏感信息 (auth.php:9-10)
- APP_KEY 和 APP_SECRET 明文写在代码中
- 风险:密钥泄露、无法环境隔离
- 修复:使用环境变量或独立配置文件
2. 不安全的 Token 生成算法 (auth.php:13-17)
- 仅用时间戳生成 Token,且未使用 $userId 参数
- 风险:可被轻易伪造、无签名验证、无过期机制
- 修复:使用标准 JWT(推荐 firebase/php-jwt)
警告问题(3个)
3. 函数参数 $userId 未使用
4. 缺少错误处理机制
5. 未使用命名空间(违反 PSR-4)
建议改进(5个)
6. 完善 PHPDoc 文档注释
7. 添加单元测试覆盖
8. 添加操作日志记录
9. 增强输入验证
10. 提高代码可扩展性
问题统计
- 总计: 10 个问题
- 分布: 严重 2 | 警告 3 | 建议 5
- 安全性: ⭐ 1/5(严重不足)
- 规范性: ⭐⭐ 2/5
优先级建议
1. P0(紧急): 修复 2 个严重安全问题
2. P1(高): 添加错误处理和验证
3. P2(中): 改进代码结构
4. P3(低): 完善测试和文档
报告中还包含了完整的重构代码示例和使用说明。建议立即处理安全问题,然后再优化代码质量。The report highlights hard‑coded credentials, an insecure token algorithm, unused parameters, missing error handling, and lack of namespaces, and provides concrete remediation steps and prioritization.
Open Source Tech Hub
Sharing cutting-edge internet technologies and practical AI resources.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.