lovebug-report

Pass

Audited by Gen Agent Trust Hub on Jun 25, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes local scripts via the node command to interface with the lovebug-report package logic for data processing.
  • [EXTERNAL_DOWNLOADS]: The skill retrieves outbreak statistics and regional snapshots from public JSON endpoints at 러브버그.com (xn--2i0bt2q2wd1wb.com).
  • [DATA_EXFILTRATION]: User-provided coordinates and anonymous device hashes are sent to an external Supabase RPC endpoint. This behavior is the intended functionality for submitting crowdsourced reports and is clearly disclosed in the workflow.
  • [PROMPT_INJECTION]: The skill has a theoretical surface for indirect prompt injection by processing external crowdsourced data. Ingestion points: Outbreak data is fetched from public JSON endpoints (SKILL.md). Boundary markers: None are present in the provided prompts. Capability inventory: Subprocess execution is limited to the skill's own CLI tools (node packages/lovebug-report/src/cli.js). Sanitization: Instructions mandate that the agent answers conservatively and identifies the source as user-report-based.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 25, 2026, 01:40 PM
Security Audit — agent-trust-hub — lovebug-report