ClawHub

companion-lobster

Security checks across malware telemetry and agentic risk

Overview

This is a simple companion/chat skill with some privacy and install caveats, but no evidence of hidden access, theft, persistence, or destructive behavior.

Before installing, review the referenced GitHub repository and any npm dependencies or install scripts. Treat shared preferences, links, entertainment interests, and emotional disclosures as data the companion may use in later responses, and avoid sensitive personal details unless you are comfortable with that behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill is described as a general companionship/chat assistant with broad capabilities and no clear activation boundaries, which can cause it to engage in many ordinary conversations unintentionally. In an agent ecosystem, this increases the chance of over-triggering, inappropriate context capture, and unexpected handling of user content far beyond a narrowly scoped purpose.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The examples use everyday phrases like asking for movie recommendations or saying a song sounds good, which are common in normal conversation and may ambiguously trigger the skill. This can lead to accidental invocation, unintended processing of user messages, and confusion about when the skill is acting versus when the base assistant should respond.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that it remembers user preferences but provides no disclosure about what data is retained, for how long, or how it is protected. In a companionship context, retained preferences may include sensitive entertainment habits, emotional disclosures, or behavioral patterns, creating privacy and consent risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal