skills/rysweet/rustyclawd/lsp-setup/Gen Agent Trust Hub

lsp-setup

Pass

Audited by Gen Agent Trust Hub on Jun 22, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes shell commands using subprocess.run to manage LSP plugins and verify system configurations.
  • The PluginManager in plugin_manager.py executes commands such as npx cclsp install <plugin_name> and npx cclsp list.
  • These commands are executed by passing arguments as a list rather than a shell string, preventing typical shell injection vulnerabilities.
  • User-controlled or auto-detected inputs like plugin_name are validated against a strict alphanumeric regex (^[a-zA-Z0-9_-]+$) in the _validate_plugin_name method to ensure no malicious characters are passed to the shell.
  • [EXTERNAL_DOWNLOADS]: The skill facilitates the installation of development tools from remote registries.
  • It uses npx to run the cclsp tool, which may involve fetching the package from the npm registry if it is not locally cached.
  • The documentation and status reports provide users with installation commands for third-party LSP servers (e.g., Microsoft's Pyright, Rust-Analyzer), though these are presented as guidance for manual execution rather than being performed automatically by the skill.
  • [SAFE]: The skill demonstrates secure handling of project configuration and files.
  • The LSPConfigurator manages the project's .env file by explicitly targeting relevant keys (like ENABLE_LSP_TOOL) and performs automatic backups (.env.backup) before applying changes.
  • File system operations are scoped to the project root directory.
  • The LanguageDetector respects .gitignore patterns and ignores standard sensitive or build directories (e.g., .git, node_modules, venv) when scanning for project metadata.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 22, 2026, 08:56 AM
Security Audit — agent-trust-hub — lsp-setup