Given a .NET assembly (DLL or EXE), how can I make sure it does (or does not) use unsafe code, with a command line tool?
Use PEVerify.
Example output for an unsafe assembly:
> peverify /quiet myapp.exe
myapp.exe FAIL (2 error(s))
Example output for a safe assembly:
> peverify /quiet myapp.exe
myapp.exe PASS
This will not only detect code marked "unsafe", but also calls to native libraries.
N.B. peverify should come installed with Visual Studio, and is easiest to call when using the Visual Studio Developer Command Prompt.