lovart-api
Pass
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill uses behavioral overrides to ensure the agent uses the provided tools for media generation rather than defaulting to standard capability refusals (e.g., "You CAN generate directly
- never say you cannot", "Do NOT say 'I can't generate images/music'").
- [COMMAND_EXECUTION]: The skill executes a local Python script (
agent_skill.py) to perform its core functions. User-supplied prompts are interpolated as command-line arguments, which represents a potential indirect prompt injection surface if the agent platform does not sanitize input before execution. - [EXTERNAL_DOWNLOADS]: The skill is designed to download generated media artifacts from the vendor's official CDN (
assets-persist.lovart.ai) to the local filesystem. - [DATA_EXFILTRATION]: User prompts and reference data are transmitted to the Lovart API (
lgw.lovart.ai) to facilitate the generation process. This is the intended primary function of the skill. - [SAFE]: The skill persists local state (active project and recent thread IDs) in
~/.lovart/state.jsonto maintain conversation continuity across sessions. This is a standard state management practice.
Audit Metadata