graph-blast-radius
Pass
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute a local Python script located at
.claude/scripts/code_graph. This script performs operations such as blast radius calculation and dependency tracing by interacting with a local code graph database. - [PROMPT_INJECTION]: The skill exposes an indirect prompt injection surface (Category 8). Ingestion points: File paths, function names, and class names are ingested from the project's source code and git status. Boundary markers: Absent; code identifiers are interpolated directly into shell command strings without delimiters. Capability inventory: The skill has the ability to execute subprocesses via the Bash tool. Sanitization: Absent; there is no evidence of escaping or validation of these identifiers before they are passed to the shell script.
- [REMOTE_CODE_EXECUTION]: The skill lists
tree-sitter,tree-sitter-language-pack, andnetworkxas prerequisites. These are well-known and trusted libraries for code parsing and graph analysis. The skill does not attempt to download or execute unverified remote code during operation.
Audit Metadata