cpg-analysis
Pass
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill documents the integration of industry-standard static analysis tools (Joern and CodeQL) for auditing source code. It provides legitimate MCP configuration for local servers and demonstrates usage patterns for identifying vulnerabilities like SQL injection and unvalidated redirects.
- [EXTERNAL_DOWNLOADS]: The documentation references an installation script (
~/.claude/install-graph-tools.sh) intended to set up the necessary local environment for the analysis tools. This is a standard procedure for tools requiring Docker, JVM, or the CodeQL CLI. - [COMMAND_EXECUTION]: The skill describes tools like
run_cpgql_queryandrun_querywhich execute analysis logic against a generated Code Property Graph (CPG) or CodeQL database. These operations are restricted to the context of the code analysis backend and are essential for the skill's stated purpose.
Audit Metadata