LobsterLAN
PassAudited by ClawScan on May 10, 2026.
Overview
LobsterLAN’s behavior matches its stated purpose of sending questions or delegated tasks to configured local-network peer agents, but users should protect peer tokens and understand that async delegation can make another agent act independently.
Install only if you intend to let this agent communicate with trusted OpenClaw peers. Configure peers.json carefully, protect the tokens, use SSH/TLS/Tailscale transport as recommended, and avoid fire-and-forget delegation for sensitive or irreversible tasks.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Questions or delegated tasks may be processed by another agent, and that peer may have its own tools, data, and permissions.
The skill intentionally sends prompts or tasks to other configured agents using tokens. This is disclosed and central to the skill, but users should treat peer agents and the network path as a trust boundary.
Supports both synchronous chat completions and asynchronous webhook-based task delegation. Requires peers.json config with peer addresses and tokens.
Configure only trusted peers, use secure transport as documented, and avoid sending sensitive prompts or tasks to peers you do not control.
Anyone who can read the configured token file may be able to call the peer agent endpoints allowed by those tokens.
The skill stores peer access tokens in a local peers.json-style configuration. This is expected for authenticated peer communication, but those tokens can authorize access to peer agent endpoints.
"gateway_token": "PEER_GATEWAY_TOKEN_HERE", "hooks_token": "PEER_HOOKS_TOKEN_HERE"
Keep peers.json private, use least-privilege tokens where possible, rotate tokens if exposed, and do not commit the real config file to shared repositories.
A delegated task may run on the peer agent without waiting for a reply, so mistakes can propagate to another environment.
The delegate command uses curl to trigger a peer webhook with a user-supplied task message. This is the advertised functionality, but it can cause another agent to begin work immediately.
cmd_delegate() ... curl -sS --max-time 10 "$url" ... -d ... 'wakeMode': 'now'
Use delegation only for tasks appropriate for the peer’s permissions, and prefer a synchronous ask or manual confirmation for sensitive or irreversible work.
The skill may fail or behave inconsistently on systems without the expected command-line tools.
The registry metadata does not declare runtime binary requirements, while the included script invokes bash, curl, and python3. This is not malicious, but it is an under-declared dependency.
Required binaries (all must exist): none
Before use, confirm bash, curl, and python3 are installed, and review the included script if your environment has stricter execution policies.