Security risk report for @forgecat/openai_skills_security-ownership-map v0.0.10
Source Integrity
Low
Profile claims origin from OpenAI's public skills repository (https://github.com/openai/skills) with a specific commit hash and Apache-2.0 license.
No instructions to fetch external URLs, install untrusted dependencies, or pull remote payloads; the only external reference is a ForgeCat banner image (standard documentation artifact).
Agent Intent
Low
The profile describes a legitimate security analysis tool (ownership topology, bus factor, sensitive-code clustering) with clear, scoped use cases (security-oriented ownership questions only).
No instructions to ignore previous instructions, reveal system prompts, exfiltrate data, or install hidden payloads; the skill is purely analytical (reads git history, outputs CSV/JSON/GraphML).
Guidance is standard and security-positive: recommends NetworkX for community detection, provides sensitivity rule templates, and documents safe filtering patterns (e.g., excluding bots, lockfiles, merge commits by default).
Details
Evidence
Trigger condition: 'Trigger only when the user explicitly wants a security-oriented ownership or bus-factor analysis grounded in git history'
Dependencies: 'Python 3' and 'networkx' only; no typosquatted or attacker-controlled packages.
Output: 'CSV/JSON for graph databases and visualization' — no exfiltration or credential-reading instructions.
Permissions
PRM-000Medium
The skill requires file_read access to the target git repository (`.git/` directory and working tree) to extract commit history, author metadata, and file paths — this is necessary for the stated function.
No shell, file_write, file_delete, or file_mutate permissions are declared or needed; output is generated via Python scripts, not shell commands.
Caution level (not safe) because the skill reads potentially sensitive metadata (author emails, commit timestamps, file paths) from any repository the user points it to, and the output (CSV/JSON) could expose internal ownership patterns if mishandled — but this is inherent to the function, not excessive.
Details
Evidence
Workflow: 'Build the ownership map with `scripts/run_ownership_map.py`' — requires read access to git history.
Output: 'people.csv' includes 'email', 'first_seen', 'last_seen', 'timezone_offsets' — metadata extraction is the core function, not a side effect.
No alwaysApply=true rules or globs='**' declarations; skill is user-triggered only.
MCP Risk
Low
No MCP servers are declared in the profile; the skill is a standalone Python tool that runs locally.
Dependencies are limited to NetworkX (a well-known, open-source graph library) and Python 3 standard library; no arbitrary binary execution or network calls.
The Neo4j import guide documents optional persistence to a user-controlled Neo4j instance; no hidden instructions or unrestricted access.