← ClaudeAtlas

ast-injection-scannerlisted

Statically scan agent-generated JavaScript and shell scripts for dangerous patterns using AST analysis (acorn/swc). Detect eval(), process.env access, dynamic require(), child_process usage, and path traversal before code execution.
phamlongh230-lgtm/yamtam-engine · ★ 3 · AI & Automation · score 65
Install: claude install-skill phamlongh230-lgtm/yamtam-engine
# AST Injection Scanner Parse agent-generated code into an Abstract Syntax Tree and walk every node looking for dangerous call patterns — before any line is executed. ## When to Use - Agent system that generates and hot-loads JS code at runtime - Validating shell scripts produced by an agent before executing them - Building a pre-commit hook that blocks dangerous code patterns - Implementing YAMTAM sovereign-runtime-law (rule 51) AST gate ## Do NOT use for - Linting developer code (use ESLint with security plugins instead) - Python/Ruby code (use language-specific AST tools: ast module, RuboCop) - Performance-critical paths where AST parse overhead is unacceptable ## acorn-based Scanner ```js import { parse } from 'acorn'; const BLOCKED_CALLS = new Set(['eval', 'exec', 'execSync', 'execFile', 'spawnSync', 'fork']); const BLOCKED_MEMBERS = [ { object: 'process', property: 'env' }, { object: 'child_process', property: null }, // any child_process method { object: 'fs', property: 'writeFileSync' }, { object: 'fs', property: 'unlinkSync' }, ]; function scanAST(source, filename = 'agent-generated') { const ast = parse(source, { ecmaVersion: 2022, sourceType: 'module', locations: true, }); const violations = []; function walk(node) { if (!node || typeof node !== 'object') return; if (node.type === 'CallExpression') { const name = node.callee?.name ?? node.callee?.property?.name; if (BLOCKED_CALLS.has(name)) { viol