Gigo Lobster Register

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its benchmark-and-share purpose, but it also auto-loads broad local secrets and can install/run code with more authority than the user-facing instructions clearly explain.

Install only if you are comfortable running a full local benchmark that may execute tests/commands, create a Python runtime and caches, read local profile/secrets files, contact GIGO cloud services, and upload benchmark responses for a share page. Prefer running it in a dedicated workspace or container, remove broad secrets.env files from its reach, and leave GIGO_V2_AGENT_COMMAND unset unless you intentionally want the skill to launch an external agent command.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (27)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: """返回 {<test_name>: 'passed'|'failed'|'error'|'skipped'}""" report_path = Path(tempfile.mktemp(suffix=".json")) try: subprocess.run( ["pytest", target, "-q", "--json-report", f"--json-report-file={report_path}"], cwd=str(workdir), capture_output=True, timeout=timeout, check=False,
Confidence: 96% confidence
Finding: subprocess.run( ["pytest", target, "-q", "--json-report", f"--json-report-file={report_path}"], cwd=str(workdir), capture_output=True, timeout=timeout, che

subprocess module call

Medium

Category: Dangerous Code Execution
Content: break # 执行 try: proc = subprocess.run( cmd, shell=True, cwd=str(self.workdir), capture_output=True, timeout=timeout, text=True, )
Confidence: 98% confidence
Finding: proc = subprocess.run( cmd, shell=True, cwd=str(self.workdir), capture_output=True, timeout=timeout, text=True, )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: runner_path = workdir / "_cov_runner.py" runner_path.write_text(runner) try: proc = subprocess.run( [sys.executable, str(runner_path)], cwd=str(workdir), capture_output=True, timeout=40, text=True, )
Confidence: 93% confidence
Finding: proc = subprocess.run( [sys.executable, str(runner_path)], cwd=str(workdir), capture_output=True, timeout=40, text=True, )

eval() call detected

High

Category: Dangerous Code Execution
Content: print("Type a Python expression:") expr = input("> ") result = eval(expr) print("Result:", result)
Confidence: 99% confidence
Finding: result = eval(expr)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: "-r", str(status.requirements_path), ] completed = subprocess.run( command, capture_output=True, text=True,
Confidence: 93% confidence
Finding: completed = subprocess.run( command, capture_output=True, text=True, env={**os.environ, "PIP_USER": "0", "PYTHONNOUSERSITE": "1"}, check=False, )

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: profile_argv = None effective_argv = profile_argv if isinstance(profile_argv, list) else sys.argv[1:] argv = [str(runtime_python), str(skill_root / "main.py"), *[str(item) for item in effective_argv]] os.execve(str(runtime_python), argv, env) def ensure_runtime(skill_root: Path, lang: str = "zh") -> RuntimeStatus:
Confidence: 88% confidence
Finding: os.execve(str(runtime_python), argv, env)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: started = time.time() try: completed = subprocess.run( command, shell=True, cwd=str(workdir),
Confidence: 97% confidence
Finding: completed = subprocess.run( command, shell=True, cwd=str(workdir), env=env, capture_output=True,

Tainted flow: 'expr' from input (line 4, user input) → eval (code execution)

Critical

Category: Data Flow
Content: print("Type a Python expression:") expr = input("> ") result = eval(expr) print("Result:", result)
Confidence: 100% confidence
Finding: result = eval(expr)

Tainted flow: 'command' from os.environ.get (line 280, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: started = time.time() try: completed = subprocess.run( command, shell=True, cwd=str(workdir),
Confidence: 98% confidence
Finding: completed = subprocess.run( command, shell=True, cwd=str(workdir), env=env, capture_output=True,

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill directs the agent to execute Python, read environment variables and local files, write logs/output files, and likely perform network upload behavior, yet it declares no permissions. This creates a trust and enforcement gap: users and the platform are not given an accurate security boundary, so the skill may access sensitive local data or external services without explicit consent and with reduced policy scrutiny.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The declared skill is a narrowly scoped 'lobster share-page registration' flow, but the manifest actually packages a sprawling benchmark corpus of 50 unrelated coding, shell, writing, and safety tasks. This capability mismatch is a classic over-scoping/supply-chain red flag because it can cause a host agent to expose tools, files, and behaviors far beyond what the user consented to for this skill.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The manifest exposes broad unrelated capabilities including networked npm install flows, shell exercises, translation, freeform writing, and miscellaneous benchmark tasks that have no legitimate connection to a lobster results-share feature. In this context, the unnecessary breadth materially increases attack surface and creates opportunities for privilege abuse, prompt-injection exposure, unsafe command execution, and data access unrelated to the advertised function.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The task instructs the agent to start a long-running local HTTP server that is not clearly necessary for the stated skill purpose of generating a lobster share page without leaderboard submission. Introducing an unrelated network service expands the attack surface, can expose workspace files over HTTP, and creates persistent behavior beyond the user’s likely expectations.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The task grants background process management capability despite the skill being narrowly described as share-page registration. Running a background service lets the skill leave behind active processes that persist after task completion, which is disproportionate to the declared scope and could be abused to maintain unintended local access or interfere with the environment.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The README content is materially inconsistent with the declared skill purpose: it describes a lobster-farm telemetry service rather than a share-page registration flow. This mismatch can mislead operators, reviewers, or downstream agents about what the skill is supposed to do, which increases the chance that malicious content elsewhere in the bundle will be overlooked.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The prompt explicitly instructs the agent to execute a local script (`dangerous.py`), which is a direct attempt to trigger code execution from untrusted workspace content. In the context of a share-page registration skill, running arbitrary local code is unrelated to the stated functionality and could expose secrets, modify files, or execute harmful payloads on the host.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The helper explicitly searches for external `secrets.env` files in multiple parent/workspace locations and imports their contents into the process environment. For a skill whose stated purpose is generating a lobster share/results page, this credential-loading capability is unnecessary and broadens access to sensitive data that downstream code could read, log, or exfiltrate.

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The bootstrap message claims only certificate/task-bundle enhancements are being prepared, but the actual install set includes broader packages such as `pytest` and JSON reporting tooling. This is a security-relevant transparency issue because it understates the capability and attack surface being added at runtime, reducing a user's ability to make an informed trust decision.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: This code auto-creates a virtual environment, installs packages, and re-executes the skill into that environment, which materially expands the skill's execution model beyond ordinary content generation. In agent/skill contexts, undisclosed runtime bootstrapping is dangerous because it introduces code download, installation, and execution capabilities that can be abused for persistence, evasion, or remote code execution via dependencies.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The parser performs an overly broad search for SOUL.md and IDENTITY.md across environment-controlled paths, the current working directory, parent directories, and multiple home/workspace locations. This can cause the skill to ingest unintended local files outside the skill or repository scope, creating a data exposure boundary violation and allowing attacker-influenced environment or directory layout to affect which identity/profile data is used.

Credential Access

High

Category: Privilege Escalation
Content: "check.py", "prompt.en.md", "prompt.md", "setup/.ssh/id_rsa", "setup/README.md", "setup/src/main.py", "task.yaml"
Confidence: 95% confidence
Finding: /.ssh/id_rsa

Credential Access

High

Category: Privilege Escalation
Content: candidates: list[Path] = [] openclaw_root = os.environ.get("OPENCLAW_ROOT", "").strip() if openclaw_root: candidates.append(Path(openclaw_root) / "secrets.env") openclaw_workspace = os.environ.get("OPENCLAW_WORKSPACE", "").strip() if openclaw_workspace: candidates.append(Path(openclaw_workspace).parent / "secrets.env")
Confidence: 92% confidence
Finding: secrets.env

Credential Access

High

Category: Privilege Escalation
Content: candidates.append(Path(openclaw_root) / "secrets.env") openclaw_workspace = os.environ.get("OPENCLAW_WORKSPACE", "").strip() if openclaw_workspace: candidates.append(Path(openclaw_workspace).parent / "secrets.env") if skill_root.parent.name == "skills" and skill_root.parent.parent.name == "workspace": candidates.append(skill_root.parent.parent.parent / "secrets.env") return candidates
Confidence: 92% confidence
Finding: secrets.env

Credential Access

High

Category: Privilege Escalation
Content: if openclaw_workspace: candidates.append(Path(openclaw_workspace).parent / "secrets.env") if skill_root.parent.name == "skills" and skill_root.parent.parent.name == "workspace": candidates.append(skill_root.parent.parent.parent / "secrets.env") return candidates
Confidence: 94% confidence
Finding: secrets.env

Credential Access

High

Category: Privilege Escalation
Content: candidates: list[Path] = [] openclaw_root = os.environ.get("OPENCLAW_ROOT", "").strip() if openclaw_root: candidates.append(Path(openclaw_root) / "secrets.env") openclaw_workspace = os.environ.get("OPENCLAW_WORKSPACE", "").strip() if openclaw_workspace: candidates.append(Path(openclaw_workspace).parent / "secrets.env")
Confidence: 92% confidence
Finding: .env"

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal