Lovable Dev

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended for app deployment work, but it describes high-impact GitHub, database, and deployment actions without enough visible scoping or confirmation guidance.

Install only if you want this agent helping with GitHub, Supabase/database, auth/RLS, and deployment work. Use non-production projects first, least-privilege credentials, review diffs and SQL/RLS changes, and require explicit approval before publishing code, changing schemas, enabling auth providers, or deploying publicly.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill promotes automatic GitHub sync, database/RLS creation, and one-click deployment as seamless capabilities, but it does not warn users that these actions can publish source code, modify backend infrastructure, or affect authentication and data exposure. In an agent skill, this omission is risky because users may invoke high-impact operations without understanding privacy, security, or production-change consequences.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal