Skillv1.1.406

ClawScan security

LobsterBio - Use · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 7, 2026, 10:19 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match a legitimate Lobster CLI workflow, but the registry metadata and declared requirements are inconsistent and the runtime behavior writes LLM provider credentials to workspace/global config — reviewers should confirm the packaging and be cautious about credential storage.
Guidance: This skill appears to be a legitimate usage guide for the Lobster AI CLI, but there are two things to check before installing or running it: 1) Metadata mismatch: The package registry metadata at the top claims no required binaries or env vars, but the embedded SKILL.md requires the 'lobster' CLI, python3, and an LLM provider credential. Ask the publisher/maintainer to correct the declared requirements so mounting or policy tooling can enforce them. 2) Credential handling: The recommended non-interactive initialization will write your chosen provider credentials into the workspace `.lobster_workspace/.env` (mode 0600) or, only if `--global` is used, into `~/.config/lobster/credentials.env`. Before running `lobster init --non-interactive`, decide which provider you trust, do NOT pass multiple provider keys, and avoid the `--global` flag unless you understand the implications. Inspect `.lobster_workspace/.env` after initialization and remove or rotate keys if you are unsure. Practical steps: verify the upstream project (GitHub/PyPI links), install in an isolated environment (virtualenv/container), run `lobster config-test --json` manually to confirm connectivity, avoid agent-run global init, and review workspace files and permissions. If you need the skill to run autonomously, require additional review: confirm the agent will only use workspace-scoped config and will never run with `--global` or write credentials to system-wide locations.

Review Dimensions

Purpose & Capability: noteThe name/description (bioinformatics via Lobster AI) align with the SKILL.md instructions: it expects the lobster CLI, Python, LLM provider keys, and access to public bio databases. However the registry-level manifest at the top of the package incorrectly lists no required binaries/env vars/primary credential while the embedded SKILL.md explicitly requires 'lobster', 'python3', and one of several LLM provider credentials. This mismatch between registry metadata and the included SKILL.md is an inconsistency worth clarifying.
Instruction Scope: okThe SKILL.md stays within the stated purpose: it instructs the agent to run the lobster CLI, use workspace directories, call `lobster query` and `lobster command`, and access public bio resources. There are no instructions to read unrelated system files or exfiltrate data to unexpected endpoints. It does, however, instruct non-interactive initialization that will persist provider credentials into workspace or global config files (described behavior).
Install Mechanism: okThis is an instruction-only skill with no install spec. The SKILL.md recommends installing 'lobster-ai' from PyPI (traceable source) which is appropriate for the described functionality. No arbitrary download/extract URLs or hidden installers are present in the package.
Credentials: concernThe SKILL.md legitimately requires one LLM provider key (Anthropic/OpenAI/Google/OpenRouter/AWS Bedrock/Azure or local Ollama). That is proportionate to a tool that delegates work to LLMs. The concern is that the agent is instructed to run non-interactive `lobster init` which will write credentials into `.lobster_workspace/.env` (workspace-scoped) or optionally `~/.config/lobster/credentials.env` if `--global` is used. Writing secrets to disk is expected for a CLI but is sensitive — users should confirm the workspace path and file permissions before use. Also the package-level metadata does not advertise these required env vars, creating a packaging/visibility gap.
Persistence & Privilege: noteThe skill does not request always:true and is user-invocable; it will create and use workspace files (.lobster_workspace/, provider_config.json, .env) by design. The optional `--global` flag would write to system user config (~/.config/lobster/) — the SKILL.md notes this is not the default and warns to avoid it unless needed. This is expected behavior for a CLI but increases blast radius if an automated agent is permitted to run init with global flags.