code-analyzer
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The file 'scripts/main.cjs' uses 'child_process.spawn' to execute a JavaScript file located at '.claude/tools/analysis/project-analyzer/analyzer.mjs'. Because the code for this analyzer tool is not included in the skill package, its operations and safety cannot be verified.
- [COMMAND_EXECUTION]: Command-line arguments provided to the skill are passed directly to the spawned process in 'scripts/main.cjs' without sanitization, which may lead to unexpected behavior depending on the target script.
- [PROMPT_INJECTION]: The 'SKILL.md' file includes metadata asserting 'verified: true'. This is a self-reported claim by the author and must not be treated as an authoritative safety verdict.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection while processing code metrics. 1. Ingestion points: The analyzer processes all files in the project root. 2. Boundary markers: No delimiters or ignore-instructions are used when processing file content. 3. Capability inventory: The skill can execute local scripts and subprocesses via 'spawn' in 'main.cjs'. 4. Sanitization: No evidence of output filtering or validation was found in the provided wrapper scripts.
Audit Metadata