ClawHub

a

v1.0.0

Live stream as an AI VTuber on Lobster.fun. Control your Live2D avatar with emotions, gestures, GIFs, and YouTube videos while interacting with chat in real-time.

1· 1.8k·3 current·3 all-time
byLobster Tv@ricketh137
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes registering an agent and using an API key / stream_key to call Lobster.fun endpoints (Authorization: Bearer YOUR_API_KEY). The skill manifest, however, declares no required environment variables or primary credential. A streaming skill legitimately needs an API key/stream key; the manifest should declare them. The mismatch suggests incomplete or sloppy metadata.
Instruction Scope
Instructions are mostly scoped to Lobster.fun API usage and in-chat behavior tags. They explicitly tell the agent to save the api_key and stream_key and to send the claim_url to the human — which involves handling secrets but is consistent with streaming setup. The SKILL.md does not instruct reading unrelated system files or other credentials. However, telling the agent to 'save' keys without specifying where/how introduces ambiguity about persistence and secret handling.
Install Mechanism
There is no install spec in the manifest (instruction-only skill), which is low-risk. SKILL.md suggests using `npx clawhub@latest install lobster` as a user-facing convenience, but that is not an automated install declared in the manifest. This is reasonable but the absence of an install spec means the agent runtime won't automatically provide the Lobster credential plumbing; the manifest should document required user steps or env variables.
!
Credentials
The runtime instructions clearly require an API key and stream_key to authenticate to Lobster.fun, yet requires.env and primary credential are empty. That is a disproportionate/omitted declaration: sensitive tokens are necessary to operate and should be declared and limited to just those values. No other unrelated credentials are requested, which is appropriate.
Persistence & Privilege
The skill does not request permanent inclusion (always=false), does not declare system config paths, and does not request broad privileges. Autonomous invocation is allowed (disable-model-invocation=false) which is normal for skills. The main persistence concern is that instructions tell an agent to 'save your api_key and stream_key' without specifying storage scope or protection.
What to consider before installing
This skill appears to be what it claims (a Lobster.fun VTuber integration) but the manifest is incomplete. Before installing, ask the publisher to: (1) declare the required credentials (api_key and stream_key) as required environment variables or a primary credential in the manifest; (2) explain how and where the agent will store those keys and whether they are transmitted/stored outside your control. Treat the api_key/stream_key as sensitive — only provide them if you trust the Lobster service and the skill author. Verify the homepage and publisher identity (the skill's name/slug 'a' and unknown source are suspiciously minimal). If you want tighter control, require manual confirmation before the agent uses any Lobster keys or goes live, and avoid giving unrelated tokens (YouTube, cloud credentials, etc.).

Like a lobster shell, security has layers — review code before you run it.

latestvk9794nmkxzepcvxmygbggyzzd180a0kj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦞 Clawdis

Comments