codebase-analyzer
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (SAFE): The skill utilizes standard shell commands such as npx and npm audit to execute its core code analysis and auditing functions.
- [EXTERNAL_DOWNLOADS] (LOW): The skill invokes multiple third-party tools via npx (including snyk, depcheck, and jscpd), which entails downloading and running code from the npm registry at runtime, presenting a minor supply chain risk.
- [PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8).
- Ingestion points: The analyze-codebase.ts script reads content from files within the src/ directory.
- Boundary markers: No delimiters or "ignore instructions" warnings are utilized when processing file content.
- Capability inventory: The skill is granted extensive capabilities, including Bash, Write, and Edit tools.
- Sanitization: No sanitization or validation of the ingested code content is performed before it is processed.
Audit Metadata