Skills
skills/lovstudio/skills/paid-add/Gen Agent Trust Hub

paid-add

Warn

Audited by Gen Agent Trust Hub on Apr 19, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands using the lovstudio-activate CLI tool, specifically the decrypt command to access the skill's actual logic.
  • [EXTERNAL_DOWNLOADS]: The documentation requires the user to install an external Python package lovstudio-activate via pipx or npx skills add lovstudio/skills to provide the decryption functionality.
  • [REMOTE_CODE_EXECUTION]: The skill implements a dynamic execution pattern where instructions are fetched from a remote source (via the decryption tool's HTTP round-trip) and followed 'to the letter'. Because these instructions are encrypted and retrieved at runtime, their final behavior cannot be audited beforehand.
  • [DATA_EXFILTRATION]: The decryption process involves an HTTP request to the vendor's infrastructure for license verification, which naturally exposes usage metadata and potentially environment context to the vendor's server.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 19, 2026, 06:26 AM