ts-morph-analyzer
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Unverifiable Dependencies & Remote Code Execution] (LOW): The setup.sh script performs npm install to fetch required dependencies like ts-morph and typescript. While these are standard development tools, installing external packages introduces a minor supply chain risk. Severity is downgraded to LOW as it is essential for the tool's primary purpose.
- [Indirect Prompt Injection] (LOW): The skill analyzes local source files and extracts JSDoc comments and function signatures to present to the AI agent. Maliciously crafted source code could contain prompt injection instructions in comments intended to hijack the agent's context.
- Ingestion points: scripts/analyze-exports.ts and scripts/trace-calls.ts (via ts-morph file reading).
- Boundary markers: Absent in the terminal output provided to the agent.
- Capability inventory: No network access, file writing, or arbitrary command execution capabilities were found in the analysis scripts.
- Sanitization: No sanitization is performed on the extracted JSDoc or identifier names before output.
Audit Metadata