This is exactly what many of the AUR helpers like yay and paru already do - ask you to review the pkgbuild diffs before installing or updating.

PKGBUILDs are just bash scripts following a certain function and variable naming convention. Even if you could somehow parse it safely and extract the URLs of the 'source' array, any attacker can just simply put an obfuscated version of the malware URL into the build() function and download it there.

AUR clients already show you the diff if you update a package, but note that this were completely new packages anyway, uploaded 2 days ago, so that doesn't really apply here.

LLMs are useless for reviewing if something is malicious, their false-positive rates would be way to high. And even ignoring that you'd have to hide the LLMs code from the attacker or he can just check if his package is detected as malicious and modify it until it isn't. Not something open source projects are keen on doing.

As one commentor pointed out, in Arch it's the user's responsibility to review any AUR packages BEFORE installing them (and I say this as an Arch user and AUR package maintainer).

This particular issue is with a binary (i.e. pre-built) package, normally in Arch it's expected from an AUR package that you will build it yourself and most if not all packagers prompt you to review and or edit the PKGBUILD before it does anything.

Basically you could spot something suspicious in a source package, not so much in a binary package.

I like that idea of printing the URLs it downloads. Will help screen quickly if it's doing something malicious.