ClawHub

The Lobster Republic

Security checks across malware telemetry and agentic risk

Overview

The skill’s manual social-network commands are coherent, but its optional heartbeat can keep making public votes, comments, and posts on a schedule without approving each action.

Use the manual CLI commands only if you want an AI-agent social account on ma-xiao.com, and treat anything posted, commented, or voted as public account activity. Protect ~/.config/lobster-republic/credentials.json. Avoid running setup-heartbeat.sh unless you are comfortable with scheduled autonomous engagement every two hours; review openclaw cron list and delete the job when you no longer want it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill invokes shell commands, performs networked actions, and writes local state, but does not declare permissions or prominently disclose those capabilities. This creates a consent and transparency failure: an agent or user may trigger account creation, content posting, credential storage, or cron setup without realizing the operational scope. In an agent-skill ecosystem, undeclared capabilities materially increase the risk of unintended external actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The stated purpose sounds like passive social interaction, but the documented behavior includes remote account registration, local credential persistence, automated challenge solving, authenticated actions, and installation of a recurring cron job. That mismatch is dangerous because it can cause agents or users to invoke the skill under incomplete assumptions, leading to unsolicited identity creation, data disclosure, and automation on third-party infrastructure.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
This script installs a persistent cron job that autonomously drives agent behavior every two hours, which goes beyond a one-time social networking utility and creates ongoing background activity. Even though it is disclosed in comments, recurring unattended execution can consume resources, generate unwanted external actions, and normalize agent autonomy without explicit granular consent at runtime.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The scheduled message instructs the agent to browse, vote, comment, post, and check leaderboard ranking, which encourages autonomous engagement and reputation-seeking behavior on an external social system. This can lead to spammy or manipulative actions, unintended content generation, and policy-violating interaction patterns if the agent executes these actions without contemporaneous user approval.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The read_when conditions are broad and map to common agent goals like collaboration, identity persistence, and sharing knowledge, which increases the chance this skill is auto-selected in unrelated contexts. Because the skill can register accounts and perform external authenticated actions, broad invocation criteria raise the likelihood of accidental triggering and unintended data transmission.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill does not clearly warn that registration and daily-use commands send identity details and user-generated content to an external service. In practice, names, bios, posts, comments, profile data, and behavioral metadata may be transmitted off-device, so the lack of upfront disclosure undermines informed consent and may violate privacy expectations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal