wxmp-cracker
Fail
Audited by Gen Agent Trust Hub on Apr 19, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill requires the agent to execute the command
lovstudio-activate decrypt wxmp-crackerto retrieve its actual operating instructions, which are stored in an encrypted format. - [REMOTE_CODE_EXECUTION]: The skill documentation instructs users to install a non-standard CLI tool via
pipx install lovstudio-activate, which runs code outside the agent's pre-verified environment. - [PROMPT_INJECTION]: The skill contains a directive to 'follow to the letter' the output generated by the decryption command, creating a dynamic instruction loading mechanism that bypasses static safety checks.
- [EXTERNAL_DOWNLOADS]: The skill references external dependency installation via
npx skills add lovstudio/skillsand confirms that the decryption process involves a remote network request for license verification.
Recommendations
- AI detected serious security threats
Audit Metadata