Note of warning!! Do not use these scripts on any PKGBUILDs you don't trust! They source every PKGBUILD to obtain the information - if a single PKGBUILD has rm -rf ~ you'd lose your home directory. You've been warned. ;) (of course you could run it in a sandbox as well, but yeah.)
The new way I parse PKGBUILDs in namcap really rocks for not trusting PKGBUILDs. Apparently bash has a --restricted mode. You have to override the PATH variable to make sure they can't execute any commands, but that's about it. http://projects.archlinux.org/git/?p=namcap.git;a=blob;f=parsepkgbuild;h=68a... This script basically outputs a PKGBUILD in db format.
find-bad-licenses: This one also finds all PKGBUILD files located in any subdirs of $(pwd), and analyses all entries in the license array. If the license isn't one located in /usr/share/licenses/common, and it doesn't start with 'custom', then the package and its invalid license are output to stdout. Also, if no license is defined, it outputs this info to stdout as well. At the moment, it doesn't check the validity of custom licenses, but it does its job well; I've also attached the list it generates when run against extra/community/unstable. It's a long list - almost 2k invalid/non-existent licenses.
This rule could be added to namcap. We could check for the validity of the licenses in a package (at that point we can see if there are custom licenses stored in the package). Jason