code-dedup
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [Data Exposure] (SAFE): The tool reads source code from the target directory for analysis. While it does not explicitly exclude secret files like
.envor.sshkeys by default, its behavior is consistent with its primary purpose of codebase auditing. Standard exclusions for.git,node_modules, and build directories are implemented. - [Indirect Prompt Injection] (SAFE): The skill processes untrusted source code and extracts snippets into reports, presenting a theoretical surface for indirect injection if a downstream agent follows instructions embedded in analyzed comments.
- Ingestion points: Source files scanned via
globpatterns and read into memory inCodeAnalyzer.jsandSimpleDeduper.js. - Boundary markers: Absent; code snippets are interpolated directly into JSON, HTML, or console outputs.
- Capability inventory: File reading (
fs.readFile), file writing (fs.writeFile), and file deletion (fs.unlinkfor cache management) are used for legitimate functionality. - Sanitization: None; the tool treats code content as text for duplicate and structure analysis.
- [External Downloads] (SAFE): Dependencies in
package.jsonare standard, well-known libraries from the npm registry (e.g., commander, glob, tree-sitter, chalk). No suspicious or unversioned remote scripts are executed at runtime. - [Command Execution] (SAFE): The skill performs static analysis and does not use
eval,exec, orspawnto run arbitrary commands or user-provided scripts.
Audit Metadata