dependency-mapping

The SKILL.md file provides a detailed, natural language description of a 'Dependency Mapping Skill'. It outlines a multi-phase process for users to manually create a Design Structure Matrix (DSM), calculate dependency and leverage scores, and rank slices by risk.

• Prompt Injection: No patterns indicative of prompt injection (e.g., 'IMPORTANT: Ignore', 'CRITICAL: Override', role-play instructions) were found. The language is purely instructional.
• Data Exfiltration: The skill does not contain any commands or references to sensitive file paths (e.g., ~/.aws/credentials, ~/.ssh/id_rsa) nor does it perform any network operations (curl, wget, fetch, requests).
• Obfuscation: No obfuscation techniques such as Base64 encoding, zero-width characters, Unicode homoglyphs, or URL/hex/HTML encoding were detected within the markdown content.
• Unverifiable Dependencies: There are no npm install, pip install, yarn add commands, or references to external scripts/URLs that would download or execute unverified code. Mentions of Glob **/*.stories.tsx and SemanticSearch are conceptual instructions for the user to perform, not commands executed by the skill itself.
• Privilege Escalation: No commands like sudo, doas, chmod, or any other actions that would attempt to acquire elevated privileges were found.
• Persistence Mechanisms: No attempts to establish persistence (e.g., modifying .bashrc, creating cron jobs, or altering SSH authorized_keys) were detected.
• Metadata Poisoning: The skill's name and description in the front matter are benign and accurately reflect its purpose. No malicious instructions were found in any metadata fields.
• Indirect Prompt Injection: The skill processes user-provided data (the DSM matrix, scores) but does not interact with external, untrusted data sources (like emails or web content) that could be used for indirect prompt injection.
• Time-Delayed / Conditional Attacks: No conditional logic based on dates, times, usage counts, or environment variables that could trigger malicious behavior was identified.

Overall, the skill is purely informational and does not execute any code, making it safe from the identified threat categories.