ClawHub

Lsp Assist

v1.1.2

Language Server Protocol integration for OpenClaw agents. Enables precise code navigation: go-to-definition, find-references, hover type info, diagnostics, a...

0· 64·0 current·0 all-time
by@zgjq
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the provided code and SKILL.md. The script spawns language servers (typescript-language-server, pyright) and implements LSP queries (goto, refs, hover, diag, symbols) — exactly what an LSP assist tool should do. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
Runtime instructions and the code restrict network binding to localhost and enforce project-root containment for file reads. The daemon exposes HTTP endpoints (including /shutdown) and accepts an optional Bearer token; by default no token is required, which makes the API accessible to any local process. This behaviour is expected for a local LSP daemon but is worth noting because local processes can query it without additional authorization unless you start with --token.
Install Mechanism
No install spec (instruction-only) and included Python script uses only the standard library. It relies on externally installed language-server binaries (npm/pip) as documented — expected for this purpose and lower-risk than arbitrary downloads.
Credentials
The skill requests no environment variables, credentials, or unusual config paths. The optional --token is a local auth mechanism documented in SKILL.md; nothing requests unrelated secrets.
Persistence & Privilege
The skill is not always: true and uses normal daemon/one-shot modes. It does not require persistent system privileges or modify other skills. Autonomous invocation by the agent is allowed by default (platform normal), and does not combine with other red flags here.
Assessment
This skill appears to do what it says: run local LSP servers and expose query endpoints on 127.0.0.1. Before installing/using: (1) ensure you install the declared language servers (typescript-language-server, pyright) from trusted sources; (2) run the daemon with --token if you want to prevent other local users/processes from using it; (3) run it with --root set to the intended project directory (the client enforces containment, but verify the path you pass is correct); (4) avoid binding to non-loopback interfaces or running this in environments where 127.0.0.1 may be reachable from other tenants (multi-tenant containers, reverse proxies) unless you understand the exposure. If you need higher assurance, review the full lsp_client.py file locally or run it in an isolated dev container.

Like a lobster shell, security has layers — review code before you run it.

codevk970rksqby3c4peg0qzzm3yr95840203developer-toolsvk970rksqby3c4peg0qzzm3yr95840203latestvk973v56y6d92e8wxt0naws4d8h840w1flspvk970rksqby3c4peg0qzzm3yr95840203navigationvk970rksqby3c4peg0qzzm3yr95840203pythonvk970rksqby3c4peg0qzzm3yr95840203typescriptvk970rksqby3c4peg0qzzm3yr95840203

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments