The Agent Skills Directory

[COMMAND_EXECUTION]: The scripts scripts/invoke_codeql_scan.py and scripts/invoke_codeql_scan_skill.py use subprocess.run to execute git for repository root detection and pwsh (PowerShell) to invoke CodeQL analysis scripts.
[SAFE]: Command execution is limited to necessary project tools (git, pwsh) with arguments that are either hardcoded or strictly validated via argparse choices. No arbitrary command injection vectors were identified.
[EXTERNAL_DOWNLOADS]: The documentation references an installation script (install_codeql.py) for the CodeQL CLI. This is a standard setup procedure for security analysis tools and does not involve direct execution of untrusted remote payloads by the skill itself.

codeql-scan