LSP Code Navigation
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a disclosed local code-navigation tool that runs language-server processes and a temporary daemon, with no artifact-backed evidence of deception or data exfiltration.
This skill is reasonable for local code navigation. Before installing, make sure you trust the included script and any language servers you install, avoid untrusted LSP_SERVER overrides, and shut down the daemon when you no longer need it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill can start installed language-server binaries, or any command the user configures through LSP_SERVER.
The client executes local language-server commands, and a user-controlled LSP_SERVER environment variable can override the command. This is expected for an LSP client, but it is still local command execution.
override = os.environ.get("LSP_SERVER") ... return override.split() ... self._proc = subprocess.Popen(self.server_cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.DEVNULL)Install language servers from trusted sources and avoid setting LSP_SERVER to untrusted or ambiguous commands.
A local helper process may remain running briefly after a query to keep language servers available.
The skill creates a local background daemon and socket. The behavior is disclosed and time-bounded, so it is a persistence note rather than a concern.
Forks a single background daemon process on first use ... Communicates with the daemon over a Unix socket (`~/.cache/lsp-query/daemon.sock`) ... Each language server auto-stops after 5 minutes idle
Use `lsp-query servers` to inspect running daemons and `lsp-query shutdown` when you want to stop them immediately.
Installing the recommended language servers adds third-party tools to the user's system, some globally.
The setup guidance points users to external package ecosystems and global installs for language servers. These are purpose-aligned but depend on the trustworthiness of the external packages.
`npm install -g pyright` ... `npm install -g typescript-language-server typescript` ... `go install golang.org/x/tools/gopls@latest`
Install only the servers you need, prefer trusted package sources, and pin or review versions where your environment requires stricter supply-chain control.