code-necromancer
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill is a well-structured instructional framework for technical auditing. It relies on standard system tools and well-known command-line utilities for static analysis and repository mapping.
- [DATA_EXPOSURE]: The skill includes patterns for identifying sensitive configuration markers, such as environment variable names (e.g.,
AWS_ACCESS_KEY,JWT_SECRET) and configuration file paths (e.g.,.env.example). This is performed purely for the purpose of cataloging system requirements during the 'Archaeology' phase and does not involve the extraction or transmission of secret values. - [COMMAND_EXECUTION]: The skill utilizes shell scripts (
analyze-repo.sh,scan-repos.sh) to automate repository introspection. These scripts use standard, safe commands such asgit,grep,find,jq, and theghCLI to generate local JSON and Markdown reports. - [INDIRECT_PROMPT_INJECTION]: Since the skill is designed to ingest and analyze external, legacy codebases, there is a theoretical surface for indirect prompt injection via malicious code comments or documentation. However, the skill emphasizes analytical tools and static mapping rather than executing the target code, which significantly reduces the risk of the agent being coerced into unauthorized actions.
- [EXTERNAL_DOWNLOADS]: The skill references and recommends well-known security and analysis tools (e.g.,
npm audit,pip-audit,safety,govulncheck). These are standard industry tools from trusted sources and do not represent a security risk in this context.
Audit Metadata