codemap

The skill appears legitimate for automated codebase mapping and documentation generation, but it carries meaningful risk due to operational choices: reading `.env*` and broad config patterns, background parallel agents that write directly and return only confirmations, reliance on templates at $SKILL_PATH, and an optional commit step that can persist sensitive findings to git. There is no explicit malicious code present, but the combination of reduced transparency and access to secrets makes this component SUSPICIOUS in untrusted environments. Recommended controls before use: review $SKILL_PATH/templates and agent prompts, run in an isolated environment without outbound network access, disable automatic commits or inspect outputs before committing, and modify discovery to skip or redact `.env*` and other sensitive files.