lsp-setup
Pass
Audited by Gen Agent Trust Hub on Jun 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands using
subprocess.runto manage LSP plugins and verify system configurations. - The
PluginManagerinplugin_manager.pyexecutes commands such asnpx cclsp install <plugin_name>andnpx cclsp list. - These commands are executed by passing arguments as a list rather than a shell string, preventing typical shell injection vulnerabilities.
- User-controlled or auto-detected inputs like
plugin_nameare validated against a strict alphanumeric regex (^[a-zA-Z0-9_-]+$) in the_validate_plugin_namemethod to ensure no malicious characters are passed to the shell. - [EXTERNAL_DOWNLOADS]: The skill facilitates the installation of development tools from remote registries.
- It uses
npxto run thecclsptool, which may involve fetching the package from the npm registry if it is not locally cached. - The documentation and status reports provide users with installation commands for third-party LSP servers (e.g., Microsoft's Pyright, Rust-Analyzer), though these are presented as guidance for manual execution rather than being performed automatically by the skill.
- [SAFE]: The skill demonstrates secure handling of project configuration and files.
- The
LSPConfiguratormanages the project's.envfile by explicitly targeting relevant keys (likeENABLE_LSP_TOOL) and performs automatic backups (.env.backup) before applying changes. - File system operations are scoped to the project root directory.
- The
LanguageDetectorrespects.gitignorepatterns and ignores standard sensitive or build directories (e.g.,.git,node_modules,venv) when scanning for project metadata.
Audit Metadata