Analyze Git history to map security ownership and identify sensitive code bus-factor risks.
Overall risk is low. The material describes a local Git-repository security ownership analysis workflow with no required secrets and no declared remote egress; if the Python scripts are used, the main considerations are local code execution and local read/write access to repository history and exported artifacts.
The material explicitly states that no keys or environment variables are required, and no API tokens, cloud credentials, or account authorizations are mentioned, so credential exposure and abuse risk appears low.
No remote endpoints are declared. The README describes building graphs from local Git history and exporting CSV/JSON/GraphML artifacts, with no indication that user data is sent to external services.
The README instructs users to run local Python scripts (such as `run_ownership_map.py` and `query_ownership.py`) and install the `networkx` dependency. This is normal local code execution and dependency installation, so it should be run only in a trusted environment with source review.
Its functionality requires reading the target repository’s Git history, file paths, and author metadata, and writing analysis outputs to a local directory (such as people/files/edges CSVs). No excessive system-wide access beyond the stated purpose is evident, but it does access local code and commit metadata.
The source is the open-source GitHub repository `openai/skills` with strong community adoption (about 22k stars), providing good auditability and source credibility. The unspecified license and unknown maintenance status are minor governance uncertainties, but not enough on their own to make it high risk.
Copy the install command and let the AI configure it · recommended for beginners
Please install the "security-ownership-map" skill from askskill: 1. Download https://raw.githubusercontent.com/openai/skills/main/skills/.curated/security-ownership-map/SKILL.md 2. Save it as ~/.claude/skills/security-ownership-map/SKILL.md 3. Reload skills and tell me it's ready
Build a bipartite graph of people and files from git history, then compute ownership risk and export graph artifacts for Neo4j/Gephi. Also build a file co-change graph (Jaccard similarity on shared commits) to cluster files by how they move together while ignoring large, noisy commits.
networkx (required; community detection is enabled by default)Install with:
pip install networkx
--since/--until).scripts/run_ownership_map.py (co-change graph is on by default; use --cochange-max-files to ignore supernode commits).--graphml).scripts/query_ownership.py for bounded JSON slices.references/neo4j-import.md).By default, the co-change graph ignores common “glue” files (lockfiles, .github/*, editor config) so clusters reflect actual code movement instead of shared infra edits. Override with --cochange-exclude or --no-default-cochange-excludes. Dependabot commits are excluded by default; override with --no-default-author-excludes or add patterns via --author-exclude-regex.
If you want to exclude Linux build glue like Kbuild from co-change clustering, pass:
python skills/skills/security-ownership-map/scripts/run_ownership_map.py \
--repo /path/to/linux \
--out ownership-map-out \
--cochange-exclude "**/Kbuild"
Run from the repo root:
python skills/skills/security-ownership-map/scripts/run_ownership_map.py \
--repo . \
--out ownership-map-out \
--since "12 months ago" \
--emit-commits
Defaults: author identity, author date, and merge commits excluded. Use --identity committer, --date-field committer, or --include-merges if needed.
Example (override co-change excludes):
python skills/skills/security-ownership-map/scripts/run_ownership_map.py \
--repo . \
--out ownership-map-out \
--cochange-exclude "**/Cargo.lock" \
--cochange-exclude "**/.github/**" \
--no-default-cochange-excludes
Communities are computed by default. To disable:
python skills/skills/security-ownership-map/scripts/run_ownership_map.py \
--repo . \
--out ownership-map-out \
--no-communities
By default, the script flags common auth/crypto/secret paths. Override by providing a CSV file:
# pattern,tag,weight
**/auth/**,auth,1.0
**/crypto/**,crypto,1.0
**/*.pem,secrets,1.0
Use it with --sensitive-config path/to/sensitive.csv.
ownership-map-out/ contains:
people.csv (nodes: people)files.csv (nodes: files)edges.csv (edges: touches)cochange_edges.csv (file-to-file co-change edges with Jaccard weight; omitted with --no-cochange)summary.json (security ownership findings)commits.jsonl (optional, if --emit-commits)communities.json (computed by default from co-change edges when available; includes maintainers per community; disable with --no-communities)cochange.graph.json (NetworkX node-link JSON with community_id + community_maintainers; falls back to ownership.graph.json if no co-change edges)ownership.graphml / cochange.graphml (optional, if --graphml)people.csv includes timezone detection based on author commit offsets: primary_tz_offset, primary_tz_minutes, and timezone_offsets.
Use scripts/query_ownership.py to return small, JSON-bounded slices without loading the full graph into context.
Examples:
python skills/skills/security-ownership-map/scripts/query_ownership.py --data-dir ownership-map-out people --limit 10
…
Generate or edit bitmap images for illustrations, photos, textures, mockups, and cutouts.
Build, scaffold, refactor, and troubleshoot ChatGPT Apps SDK applications.
Create a composable CLI from docs, specs, SDKs, apps, or scripts.
Turn vague intentions into concrete, measurable goals and clear success criteria.
Create a new blank Figma design or FigJam file to start collaborating quickly.
Connect to Figma, fetch design assets, and turn nodes into production code.
Clone GitHub repos, audit code, scan security issues, and explain code intelligently.
Identify remotely exploitable, bounty-worthy security issues in code repositories.
Analyze public GitHub repos and PRs for risks, findings, and merge readiness.
Analyze codebase health to find dead code, dependency cycles, and architecture drift.
Analyze a codebase for threats, abuse paths, and mitigations in Markdown.
Analyze local TS/JS repo dependencies and change impact before editing code.