Lobster

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed workflow runner with powerful shell and tool-invocation features, so it is not malicious but should only be used with reviewed workflows.

Install only if you trust the external Lobster CLI/package source. Treat Lobster pipelines like scripts: inspect shell commands and clawd.invoke calls, avoid untrusted workflow files or arguments, use least-privilege CLAWD tokens, add approval gates before side effects, and clear or relocate ~/.lobster/state/ if it may contain sensitive workflow data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill explicitly exposes a generic `exec --json --shell "cmd"` primitive, which allows arbitrary shell command execution rather than a narrowly scoped workflow runtime. In an agent setting, this materially expands capability and can be abused to read local files, access secrets, or perform unintended system actions if untrusted pipeline content is executed.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill can invoke external Clawdbot tools such as message sending through `clawd.invoke`, introducing side-effecting capabilities beyond the manifest's described workflow runtime behavior. Even with approval concepts elsewhere in the skill, this creates a pathway for an agent to trigger external actions or communications if pipelines are not strictly controlled.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal