install-lsp
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The skill instructs the agent to run
npx cclsp@latest setup, which fetches and executes code from an unverified npm package at runtime. This is a classic 'download and execute' pattern from an untrusted source. - [EXTERNAL_DOWNLOADS] (HIGH): It directs the agent to add an untrusted third-party plugin marketplace (
boostvolt/claude-code-lsps) and install numerous binaries from unverified repositories across various package managers (npm, pip, gem, go). - [COMMAND_EXECUTION] (HIGH): The instructions require the agent to modify user shell profiles (
~/.zshrc,~/.bashrc). While the stated intent is to set an environment variable, the capability to write to startup scripts is a significant persistence and security risk. - [DATA_EXFILTRATION] (MEDIUM): The skill interacts with and modifies configuration files (
~/.config/claude/cclsp.json) and shell profiles, which are sensitive files that often contain secrets or credentials.
Recommendations
- AI detected serious security threats
Audit Metadata