ClawHub

LobsterBio - Dev

Security checks across malware telemetry and agentic risk

Overview

This is a Lobster AI development guide with expected setup, credential, and session-state cautions, but no evidence of hidden or malicious behavior.

Install this only for Lobster AI or Omics-OS development. Use a dedicated virtual environment, review the package before installing, prefer environment variables or a secret manager over command-line API-key flags, keep credential files out of version control, and review or delete persisted Lobster session/workspace files if they may contain sensitive data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad terms like 'contribute', 'fix bug', 'add feature', and 'write tests', which can match many ordinary software requests unrelated to Lobster. This can cause the skill to activate in the wrong context and steer the agent into running Lobster-specific setup and shell commands, increasing the chance of unintended repository inspection or package installation in unrelated projects.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The CLI reference explicitly encourages passing API keys as command-line flags and storing credentials in .env or credentials.env, but it does not warn that command-line arguments may be exposed via shell history, process listings, CI logs, or crash reports. In a developer-facing skill for coding agents and CI/CD, this omission increases the chance of accidental secret disclosure and insecure operational practices.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal