find-dead-code
Pass
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes several external CLI tools for code analysis, including vulture, periphery, and deadcode.
- [EXTERNAL_DOWNLOADS]: Utilizes npx knip to perform analysis on TypeScript projects, which involves fetching the knip package from the official npm registry.
- [REMOTE_CODE_EXECUTION]: Running cargo build on Rust projects to detect dead code warnings can trigger the execution of arbitrary code via build.rs scripts or procedural macros present in the codebase.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests and processes untrusted source code and configuration files. Ingestion points: Project source files and configuration files like package.json or Cargo.toml. Boundary markers: None identified in the subagent instructions. Capability inventory: Command execution via subprocesses and spawning background agents. Sanitization: No sanitization or validation of the ingested code content is performed.
Audit Metadata