pp-mobalytics-lol
Pass
Audited by Gen Agent Trust Hub on Jun 21, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches the
mobalytics-lol-pp-cliandmobalytics-lol-pp-mcpbinaries directly from the author's GitHub repository (github.com/mvanhorn/printing-press-library) and NPM registry (@mvanhorn/printing-press-library). - [COMMAND_EXECUTION]: Executes the downloaded
mobalytics-lol-pp-clibinary to perform champion comparisons, tier-list lookups, and meta-shift analysis. - [DATA_EXFILTRATION]: The CLI tool includes a
--deliver webhook:<url>feature that allows the agent to route command outputs to an external HTTP endpoint. - [COMMAND_EXECUTION]: Provides instructions to write JSON configuration files to the local League of Legends client directory using the
item-setcommand. - [INDIRECT_PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection:
- Ingestion points: Processes external game data and champion metadata from the Mobalytics API and CDN endpoints (e.g.,
versions.json,champion.json). - Boundary markers: No specific delimiters or instructions to ignore embedded content are defined in the SKILL.md for the data processed by the CLI.
- Capability inventory: The skill can execute shell commands, write to the filesystem (LoL client path), and perform network POST requests via the webhook delivery sink.
- Sanitization: The skill does not explicitly mention sanitization or validation of the external JSON data before it is presented to the agent or used in command arguments.
Audit Metadata