dead-code-finder
v1.0.0Find and remove dead code in JavaScript/TypeScript projects. Detects unused exports, unreferenced files, orphaned components, unused dependencies, and dead f...
⭐ 0· 26·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
SKILL.md and the included Python script both implement a JS/TS dead-code scanner, so purpose and capabilities align. Minor inconsistency: the runtime examples assume python3 is available, but the skill metadata does not declare any required binary; the skill may fail if python3 is absent.
Instruction Scope
Runtime instructions only tell the agent to run the included script against a project path and to review results. The scanner reads project files (tsconfig.json, package.json) which is expected for this task. There are no instructions to read unrelated system files or to send data to external endpoints.
Install Mechanism
No install spec (instruction-only) and the included script is pure Python with no declared external dependencies, so nothing arbitrary will be downloaded or executed during install. This is a low-risk install model.
Credentials
The skill requests no environment variables, credentials, or config paths beyond reading project files (tsconfig.json, package.json) which are relevant to dead-code analysis. No evidence of unrelated secret access.
Persistence & Privilege
always is false and the skill does not request system-wide changes or modify other skills. Autonomous invocation is allowed (platform default) but that is not excessive for a local code-analysis tool.
Assessment
This skill appears coherent: it includes a Python script that scans a local project for unused exports/files/deps and gives CLI instructions. Before installing or running it: (1) ensure python3 is available on the agent/environment (the metadata doesn't declare this), (2) review the full scripts (the provided file listing was truncated in this package review — confirm there are no network calls, env reads, or write operations you don't expect), (3) run the tool on a copy or sample repo first to validate results (regex-based scanners can give false positives), and (4) avoid granting it access to sensitive repositories or leaving it to run autonomously on all projects unless you trust it. If you want higher confidence, provide the complete, untruncated script for review or run it in a sandboxed environment and inspect any network activity.Like a lobster shell, security has layers — review code before you run it.
latestvk97fxveyhsdr2cpdbb0mm0775x84mbzx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.