building-java-knowledge-graph
Warn
Audited by Snyk on Jun 22, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.85). Outsider free text can enter the LLM context via the project’s own source files and config files (e.g.,
*.java/*.kt/*.scala/*.groovy,application*.properties/yaml) that the script reads at runtime and then serializes intoknowledge-graph.json(nodes/edges/annotations/properties), which downstream agents may feed into the LLM.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). Yes — scripts/install_grammars.py performs git clone and builds tree-sitter grammars at setup/runtime, fetching and executing remote code from the listed GitHub repositories (https://github.com/tree-sitter/tree-sitter-java, https://github.com/fwcd/tree-sitter-kotlin, https://github.com/tree-sitter/tree-sitter-scala, https://github.com/murtaza64/tree-sitter-groovy), and the resulting artifacts (languages.so) are required by scripts/build_knowledge_graph.py.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata