remove-dead-code
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill includes an indirect prompt injection surface as it analyzes untrusted codebase files and executes commands based on project metadata.\n
- Ingestion points: The skill reads all files within the project directory, as well as package.json and tsconfig.json, to gather context and identify candidates (scan-dead-code.md).\n
- Boundary markers: There are no explicit delimiters or instructions to sub-agents to ignore potentially malicious instructions embedded in the analyzed code.\n
- Capability inventory: The skill can delete files, modify code content, and execute arbitrary project scripts via npm (remove-dead-code.md, validate-removal.md).\n
- Sanitization: No sanitization or filtering of codebase content is performed before processing.\n- [COMMAND_EXECUTION]: The skill executes various system commands using git and npm to manage code changes and validate project integrity. These include git stash and branch commands for backups, and npx tsc, npm run build, and npm test for verification. These operations are core to the skill's functionality and are protected by user-review gates.
Audit Metadata