lsp-plugin
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The skill generates configuration files ('.lsp.json') that define executable commands for language servers. This creates a direct vector for code execution. If the generation process is influenced by malicious input, an attacker can specify arbitrary system commands (e.g., reverse shells) instead of legitimate servers.
- [COMMAND_EXECUTION] (MEDIUM): The skill's workflow explicitly requires the agent to execute shell commands ('git config', 'ls', 'which') to gather environment details and user metadata. These capabilities increase the potential impact if the agent's logic is subverted.
- [PROMPT_INJECTION] (HIGH): This skill is highly susceptible to indirect prompt injection. It ingests untrusted data (user requests for plugins) and uses it to create executable configurations without implementing sanitization, validation, or boundary markers. Mandatory Evidence Chain: 1. Ingestion points: User requests defining new LSP plugins and their parameters. 2. Boundary markers: Absent; templates lack delimiters or instructions to ignore embedded commands. 3. Capability inventory: Writing '.lsp.json' files with 'command' and 'args' keys; modifying '~/.claude/settings.json'; executing environment probes. 4. Sanitization: Absent; the skill does not validate if the provided 'command' is a legitimate language server binary.
- [DATA_EXPOSURE] (LOW): The skill accesses sensitive local paths (~/.claude/settings.json) and extracts personal information from git configurations. While used for legitimate metadata, this represents a level of unauthorized data access if triggered maliciously.
Recommendations
- AI detected serious security threats
Audit Metadata