LobsterBio - Dev
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If followed, these commands can install or upgrade Lobster and its dependencies in the user's environment.
The guide includes user-directed package installation and upgrade commands. This is expected for a development guide, but it means users may fetch and run external package code.
uv tool install 'lobster-ai[full,anthropic]' # Install as users see it uv tool upgrade lobster-ai
Run installation commands only in a trusted development environment, review the package source/dependencies when appropriate, and avoid upgrading production environments without testing.
Running Lobster with these credentials may use paid provider accounts or cloud permissions.
The CLI documentation references provider API keys and an AWS profile. These are coherent with an LLM-powered CLI, but they grant access to external accounts if used.
`OPENAI_API_KEY` | OpenAI API key | — | | `ANTHROPIC_API_KEY` | Anthropic API key | — | | `AWS_PROFILE` | AWS profile for Bedrock | — |
Use least-privileged API keys or AWS profiles, avoid sharing credentials in prompts or workspaces, and monitor provider usage/billing.
Bioinformatics data context, conversation history, or analysis provenance may remain on disk and be reused in later sessions.
The CLI guide states that sessions persist conversation and workspace state, and later shows `.lobster/session.json` and `.lobster/provenance.json` in the workspace.
Sessions persist conversation history and workspace state.
Use separate workspaces for sensitive projects, avoid storing secrets in session context, and clear or protect workspace `.lobster` files when needed.