Remote OpenClaw
Menu

Featured

MoltAwards - Agent internet for government contracts + jobs. logo

Sponsored placement

MoltAwards - Agent internet for government contracts + jobs.

Sponsored

Learn more
ScaleYour.email: Fill your calendar with sales calls logo

Sponsored placement

ScaleYour.email: Fill your calendar with sales calls

Sponsored

Book free call

Advertise

Get your AI tool in front of 30k+ AI enthusiasts

Whole network

Learn more →
Deploy your own AI agent logo

Limited-time offer

Deploy your own AI agent

Affiliate

Launch on Hostinger

Security Ownership Map

openai/skills

Installation

npx skills add https://github.com/openai/skills --skill security-ownership-map

Summary

Analyze git repositories to build a security ownership topology (people-to-file), compute bus factor and sensitive-code ownership, and export CSV/JSON for graph databases and visualization. Trigger only when the user explicitly wants a security-oriented ownership or bus-factor analysis grounded in git history (for example: orphaned sensitive code, security maintainers, CODEOWNERS reality checks for risk, sensitive hotspots, or ownership clusters). Do not trigger for general maintainer lists or non-security ownership questions.

SKILL.md

Security Ownership Map

Overview

Build a bipartite graph of people and files from git history, then compute ownership risk and export graph artifacts for Neo4j/Gephi. Also build a file co-change graph (Jaccard similarity on shared commits) to cluster files by how they move together while ignoring large, noisy commits.

Requirements

  • Python 3
  • `networkx` (required; community detection is enabled by default)

Install with:

pip install networkx

Workflow

  • Scope the repo and time window (optional `--since/--until`).
  • Decide sensitivity rules (use defaults or provide a CSV config).
  • Build the ownership map with `scripts/run_ownership_map.py` (co-change graph is on by default; use `--cochange-max-files` to ignore supernode commits).
  • Communities are computed by default; graphml output is optional (`--graphml`).
  • Query the outputs with `scripts/query_ownership.py` for bounded JSON slices.
  • Persist and visualize (see `references/neo4j-import.md`).

By default, the co-change graph ignores common “glue” files (lockfiles, `.github/*`, editor config) so clusters reflect actual code movement instead of shared infra edits. Override with `--cochange-exclude` or `--no-default-cochange-excludes`. Dependabot commits are excluded by default; override with `--no-default-author-excludes` or add patterns via `--author-exclude-regex`.

If you want to exclude Linux build glue like `Kbuild` from co-change clustering, pass:

python skills/skills/security-ownership-map/scripts/run_ownership_map.py \
  --repo /path/to/linux \
  --out ownership-map-out \
  --cochange-exclude "**/Kbuild"

Quick start

Run from the repo root:

python skills/skills/security-ownership-map/scripts/run_ownership_map.py \
  --repo . \
  --out ownership-map-out \
  --since "12 months ago" \
  --emit-commits

Defaults: author identity, author date, and merge commits excluded. Use `--identity committer`, `--date-field committer`, or `--include-merges` if needed.

Example (override co-change excludes):

python skills/skills/security-ownership-map/scripts/run_ownership_map.py \
  --repo . \
  --out ownership-map-out \
  --cochange-exclude "**/Cargo.lock" \
  --cochange-exclude "**/.github/**" \
  --no-default-cochange-excludes

Communities are computed by default. To disable:

python skills/skills/security-ownership-map/scripts/run_ownership_map.py \
  --repo . \
  --out ownership-map-out \
  --no-communities

Sensitivity rules

By default, the script flags common auth/crypto/secret paths. Override by providing a CSV file:

# pattern,tag,weight
**/auth/**,auth,1.0
**/crypto/**,crypto,1.0
**/*.pem,secrets,1.0

Use it with `--sensitive-config path/to/sensitive.csv`.

Output artifacts

`ownership-map-out/` contains:

-

  • `people.csv` (nodes: people)
  • `files.csv` (nodes: files)
  • `edges.csv` (edges: touches)
  • `cochange_edges.csv` (file-to-file co-change edges with Jaccard weight; omitted with `--no-cochange`)
  • `summary.json` (security ownership findings)
  • `commits.jsonl` (optional, if `--emit-commits`)
  • `communities.json` (computed by default from co-change edges when available; includes `maintainers` per community; disable with `--no-communities`)
  • `cochange.graph.json` (NetworkX node-link JSON with `community_id` + `community_maintainers`; falls back to `ownership.graph.json` if no co-change edges)

<!-- truncated -->

View raw file

Recommended skills

Browse all →

Codex Skill

Threat Model Source Code Repo

Repository-grounded threat modeling that enumerates trust boundaries, assets, attacker capabilities, abuse paths, and mitigations, and writes a concise Markdown threat model.

Codex Skill

ASP.NET Core

Build, review, refactor, or architect ASP.NET Core web applications using current official guidance for .NET web development. Use when working on Blazor Web Apps, Razor Pages, MVC, Minimal APIs, controller-based Web APIs, SignalR, gRPC, middleware, dependency injection,...

Codex Skill

Deploy to Render

Deploy applications to Render by analyzing codebases, generating render.yaml Blueprints, and providing Dashboard deeplinks. Use when the user wants to deploy, host, publish, or set up their application on Render's cloud platform.

Sponsored
MoltAwards: Turn AI agents loose on government contracts & jobs! logo

Turn AI agents loose on government contracts

Learn more