Audit History - yolo

Audit version 3

Latest Low Risk

Jan 10, 2026, 08:57 AM

Legitimate browser automation skill for Lovable.dev deployments. All operations are controlled by user configuration, provide manual fallbacks, and only interact with the Lovable.dev platform as documented. No malicious patterns detected.

6

Files scanned

4,537

Lines analyzed

4

findings

claude

Audited by

Low Risk Issues (2)

references/automation-workflows.md:68-95

Browser automation capability

The skill uses Claude's browser automation tools (find, read_page, form_input, computer) to interact with Lovable.dev. This is a legitimate capability for deployment automation, but requires the Claude in Chrome extension. The code explicitly provides manual fallbacks when automation fails.

references/secrets-extraction.md:173-225

Extracting secrets from Lovable Cloud

The skill can extract secret NAMES (not values) from Lovable Cloud settings page. This is used during init to show which secrets are already configured. The code explicitly states it does NOT extract secret values: 'Store secret name only (values not extracted for security)'.

Risk Factors

📁 Filesystem access (1)

SKILL.md:204-228

⚙️ External commands (1)

references/automation-workflows.md:254-306

Audit version 2

Low Risk

Jan 10, 2026, 08:57 AM

Legitimate browser automation skill for Lovable.dev deployments. All operations are controlled by user configuration, provide manual fallbacks, and only interact with the Lovable.dev platform as documented. No malicious patterns detected.

6

Files scanned

4,537

Lines analyzed

4

findings

claude

Audited by

Low Risk Issues (2)

references/automation-workflows.md:68-95

Browser automation capability

The skill uses Claude's browser automation tools (find, read_page, form_input, computer) to interact with Lovable.dev. This is a legitimate capability for deployment automation, but requires the Claude in Chrome extension. The code explicitly provides manual fallbacks when automation fails.

references/secrets-extraction.md:173-225

Extracting secrets from Lovable Cloud

The skill can extract secret NAMES (not values) from Lovable Cloud settings page. This is used during init to show which secrets are already configured. The code explicitly states it does NOT extract secret values: 'Store secret name only (values not extracted for security)'.

Risk Factors

📁 Filesystem access (1)

SKILL.md:204-228

⚙️ External commands (1)

references/automation-workflows.md:254-306

Audit version 1

Low Risk

Jan 10, 2026, 08:57 AM

Legitimate browser automation skill for Lovable.dev deployments. All operations are controlled by user configuration, provide manual fallbacks, and only interact with the Lovable.dev platform as documented. No malicious patterns detected.

6

Files scanned

4,537

Lines analyzed

4

findings

claude

Audited by

Low Risk Issues (2)

references/automation-workflows.md:68-95

Browser automation capability

The skill uses Claude's browser automation tools (find, read_page, form_input, computer) to interact with Lovable.dev. This is a legitimate capability for deployment automation, but requires the Claude in Chrome extension. The code explicitly provides manual fallbacks when automation fails.

references/secrets-extraction.md:173-225

Extracting secrets from Lovable Cloud

The skill can extract secret NAMES (not values) from Lovable Cloud settings page. This is used during init to show which secrets are already configured. The code explicitly states it does NOT extract secret values: 'Store secret name only (values not extracted for security)'.

Risk Factors

📁 Filesystem access (1)

SKILL.md:204-228

⚙️ External commands (1)

references/automation-workflows.md:254-306