add-lang
Pass
Audited by Gen Agent Trust Hub on Jun 12, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches language grammars from the official npm registry (using the
@tree-sitter-grammars/scope) when local grammars are missing or outdated. - [EXTERNAL_DOWNLOADS]: Uses the GitHub CLI (
gh) to identify and clone public repositories to build a test corpus for verifying language extraction quality. - [COMMAND_EXECUTION]: Executes internal project scripts for grammar health checks (
check-grammar.mjs), AST dumping (dump-ast.mjs), and automated benchmarking (bench.sh). - [COMMAND_EXECUTION]: Invokes the
claudeCLI to perform A/B evaluations on retrieval quality, which involves sending code samples to Anthropic's services and incurring documented API usage costs. - [PROMPT_INJECTION]: The skill processes untrusted content by indexing and benchmarking external repositories cloned from GitHub. While these repositories could theoretically contain instructions targeting the benchmark agent, the risk is inherent to the tool's primary purpose of code analysis and is mitigated by the skill's instructions to perform these runs in a headless benchmark environment.
Audit Metadata