Skills
skills/openharmonyinsight/openharmony-skills/oh-precommit-codecheck/Gen Agent Trust Hub

oh-precommit-codecheck

Pass

Audited by Gen Agent Trust Hub on Apr 9, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: Fetches the CodeArts codecheck engine and custom clang-tidy binaries from Huawei's Object Storage Service (OBS) during initialization.
  • Evidence: scripts/setup.sh uses curl to download zip archives from https://codeheck-chajian-bj4-obs.obs.cn-north-4.myhuaweicloud.com/ into the ~/.codecheck-tools/ directory.
  • [COMMAND_EXECUTION]: Executes the downloaded analysis engine and various system-installed linters to evaluate source code files.
  • Evidence: scripts/check.sh invokes java -jar for the CodeArts engine and runs shell commands for pylint, flake8, shellcheck, and gn format based on file extensions.
  • [PROMPT_INJECTION]: The skill processes untrusted code files which could theoretically contain malicious instructions targeting the agent via Indirect Prompt Injection.
  • Ingestion points: Processes local source files including .cpp, .py, .sh, and .gn files within the repository.
  • Boundary markers: The agent is instructed to parse structured, pipe-delimited output from the shell scripts rather than raw linter output.
  • Capability inventory: The agent has access to the Edit and Write tools to perform auto-fixes, and shell execution via the skill's scripts.
  • Sanitization: Scripts like check_python.sh and check_shell.sh include sed patterns to remove delimiter characters (|) from linter messages, ensuring the agent receives correctly formatted data and preventing interpretation of injected control characters.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 9, 2026, 06:58 AM