The last time I looked at Lesspass, its implementation was worryingly incompetent[1][2]. Just use your browser’s password manager; it’s less phishable than a manual `genp site` and your passwords don’t pass through your clipboard.
EDIT: I revisited the code. Looks like everything in [1] is fixed, nothing in [2] is fixed, there are now JWTs for some reason, and… they removed metadata encryption??[3][4] Or it was never in in the first place and simple-crypto-js was used for something else? Either way, it’s a current and major flaw.