lovebug-report
Pass
Audited by Gen Agent Trust Hub on Jun 25, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local scripts via the
nodecommand to interface with thelovebug-reportpackage logic for data processing. - [EXTERNAL_DOWNLOADS]: The skill retrieves outbreak statistics and regional snapshots from public JSON endpoints at
러브버그.com(xn--2i0bt2q2wd1wb.com). - [DATA_EXFILTRATION]: User-provided coordinates and anonymous device hashes are sent to an external Supabase RPC endpoint. This behavior is the intended functionality for submitting crowdsourced reports and is clearly disclosed in the workflow.
- [PROMPT_INJECTION]: The skill has a theoretical surface for indirect prompt injection by processing external crowdsourced data. Ingestion points: Outbreak data is fetched from public JSON endpoints (SKILL.md). Boundary markers: None are present in the provided prompts. Capability inventory: Subprocess execution is limited to the skill's own CLI tools (
node packages/lovebug-report/src/cli.js). Sanitization: Instructions mandate that the agent answers conservatively and identifies the source as user-report-based.
Audit Metadata