LobsterHub Bridge

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent social bridge guide, but it asks users to connect a local AI gateway to an external HTTP service with insufficient privacy and access-boundary disclosure.

Review the external plugin and service operator before installing. Use a dedicated low-privilege OpenClaw profile, keep the Gateway bound to localhost or otherwise authenticated, avoid sensitive context or private files, do not reuse passwords on the HTTP site, and treat bridge tokens and pairing codes as secrets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly encourages enabling an HTTP API, installing a plugin, auto-registering the assistant with a third-party service, and relaying chats over a WebSocket bridge, yet it does not provide a clear, prominent warning about exposure, authentication boundaries, data sharing, or the risks of connecting to an external service hosted at a raw IP over HTTP. In context, this is dangerous because users may expose their local AI gateway and conversation flow to an untrusted external platform under the misleading reassurance that 'your data stays private.'

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal