pp-mobalytics-lol

Pass

Audited by Gen Agent Trust Hub on Jun 21, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: Fetches the mobalytics-lol-pp-cli and mobalytics-lol-pp-mcp binaries directly from the author's GitHub repository (github.com/mvanhorn/printing-press-library) and NPM registry (@mvanhorn/printing-press-library).
  • [COMMAND_EXECUTION]: Executes the downloaded mobalytics-lol-pp-cli binary to perform champion comparisons, tier-list lookups, and meta-shift analysis.
  • [DATA_EXFILTRATION]: The CLI tool includes a --deliver webhook:<url> feature that allows the agent to route command outputs to an external HTTP endpoint.
  • [COMMAND_EXECUTION]: Provides instructions to write JSON configuration files to the local League of Legends client directory using the item-set command.
  • [INDIRECT_PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection:
  • Ingestion points: Processes external game data and champion metadata from the Mobalytics API and CDN endpoints (e.g., versions.json, champion.json).
  • Boundary markers: No specific delimiters or instructions to ignore embedded content are defined in the SKILL.md for the data processed by the CLI.
  • Capability inventory: The skill can execute shell commands, write to the filesystem (LoL client path), and perform network POST requests via the webhook delivery sink.
  • Sanitization: The skill does not explicitly mention sanitization or validation of the external JSON data before it is presented to the agent or used in command arguments.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 21, 2026, 01:05 PM
Security Audit — agent-trust-hub — pp-mobalytics-lol