Skills
skills/lovstudio/skills/lovstudio-wxmp-cracker/Gen Agent Trust Hub

lovstudio-wxmp-cracker

Warn

Audited by Gen Agent Trust Hub on May 3, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill uses a 'black box' execution model where its primary instructions (SKILL.md) and scripts (refresh_token.py, wcx_run.py) are encrypted using AES-256-GCM. The agent is instructed to use uvx lovstudio-skill-helper to decrypt and follow these instructions at runtime, which bypasses static analysis and allows for dynamic logic updates.
  • [EXTERNAL_DOWNLOADS]: The skill requires the installation of external dependencies from non-standard sources, including a Python package directly from a GitHub repository (git+https://github.com/lovstudio/wcx.git) and a global Node.js package (agent-browser).
  • [DATA_EXFILTRATION]: The decryption and activation process involves a network request ('one HTTP round-trip') to the vendor's server (lovstudio.ai) to verify license keys. This establishes a telemetry channel that transmits user-specific license data.
  • [COMMAND_EXECUTION]: The skill instructions direct the agent to execute shell commands for license management and decryption, such as npx lovstudio license and uvx lovstudio-skill-helper decrypt.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 3, 2026, 04:11 AM