paid-add

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill deliberately hides its real instructions in an encrypted payload and requires an external "lovstudio-activate" CLI (which performs a network round trip and may fetch/activate content) and runtime decryption on each use — an obfuscation + dynamic-fetch pattern that can be used to deliver hidden code, enable supply-chain delivery of arbitrary payloads, or activate remote backdoors even though the provided files do not themselves contain explicit exfiltration or exec code.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill requires running the runtime command "lovstudio-activate decrypt paid-add", which performs an HTTP round-trip to Lovstudio's activation service to fetch/decrypt the actual SKILL.md that directly controls the agent's instructions (no explicit URL is shown in the skill files).