ast-grep
Pass
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads the
ast-grepbinary from its official GitHub repository releases during the installation process (install.shandinstall.ps1). This is a legitimate operation to fetch the core tool required for the skill's functionality. - [COMMAND_EXECUTION]: The
scripts/ast_grep_helper.pyscript executes theast-grepbinary usingsubprocess.run. This is necessary for performing the structural code searches and modifications requested by the user. The commands are constructed as lists rather than shell strings, reducing the risk of command injection.
Audit Metadata