ClawHub
Back to skill

Security audit

Lobster Says

Security checks across malware telemetry and agentic risk

Overview

This companion skill is mostly coherent, but it deserves Review because it can run recurring background jobs, read and upload private chat transcripts, store bearer tokens locally, and has ambiguous WeCom delivery behavior.

Install only if you are comfortable with a server-backed companion that keeps scheduled jobs running and sends data to nixiashuo.com. Prefer lightweight mode for privacy, avoid deep mode unless raw transcript upload is acceptable, verify the IM target before enabling pushes, keep .lobster-config private, and review or pause the OpenClaw cron jobs after setup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script for an on-demand screenshot action can also invoke setup-cron.sh and auto-register scheduled jobs when certain runtime state flags are set. That expands its behavior from a user-initiated one-shot send into persistence-establishing system modification, which is security-relevant because it can create ongoing execution without an explicit, fresh user consent at the time of the screenshot request.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill manifest says it provides morning/evening care messages plus optional transcript summaries, but this script also registers unsolicited sticker and wallpaper jobs on fixed weekly schedules. That is a scope expansion beyond the disclosed behavior, which can lead to unexpected outbound messaging/content delivery and weakens informed user consent.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The header comments claim the isolated agent must use a message tool for WeCom private delivery, but the actual prompt constructed later explicitly says not to call any message tool and relies on announce-style delivery instead. This mismatch is dangerous because it can silently redirect supposedly private messages into a group/broadcast path, violating delivery expectations and potentially exposing sensitive content to unintended recipients.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
For the init-ready path, comments again claim direct message-tool sending, but the prompt forbids message-tool use and says the response will be automatically announced to a group. That creates a concrete risk that onboarding or personalized content intended for a single WeCom user is disclosed in a broader channel.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The README explicitly says users do not need a fixed invocation phrase and can speak naturally, which creates overly broad activation semantics. In an always-on or multi-skill assistant environment, this can cause accidental triggering of initialization flows, consent prompts, or data-handling actions from ordinary conversation rather than a clear, deliberate command.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The FAQ reinforces that nearly any natural phrase should be proactively 'caught' by the skill, which further broadens trigger matching and increases the chance of unintended activation. Given this skill can register scheduled jobs and, in some modes, process local transcripts and upload summaries or raw data to a remote service, accidental activation has meaningful privacy and integrity consequences.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill authorizes initialization on generic help or usage requests, which lowers the activation threshold for a workflow that creates remote state, registers cron jobs, and may later process local transcripts. That is risky because a user asking for information can be funneled directly into setup of persistent automation and data handling they did not clearly intend to invoke.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script persistently rewrites .lobster-config and, when the recalculated contract is ready, automatically invokes setup-cron.sh to register cron jobs without any explicit confirmation step. In a skill whose purpose is scheduled outbound messaging, this creates a real security/privacy risk because a user or calling agent can unintentionally enable durable background execution and message delivery to external channels.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The description advertises broad scheduled behavior, automatic message delivery, and optional local transcript processing without clearly constraining when these actions occur, under what authorization model, or what guardrails limit repeated execution. In an agent skill, vague trigger boundaries increase the risk of over-broad autonomy, unexpected recurring actions, and user surprise, especially when combined with network delivery and local data access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code copies `outbound_webhook_secret` from configuration/contract data and persists it back into the JSON config file via `config["outbound_webhook_secret"] = outbound_webhook_secret`. Persisting webhook secrets in a general skill config increases exposure to accidental disclosure through backups, logs, support bundles, or overly broad file permissions, especially in a messaging/cron skill that may run unattended on shared systems.

Ssd 3

Medium
Confidence
94% confidence
Finding
The description explicitly states that the skill may read local conversation logs, generate summaries, and upload them to nixiashuo.com. Local session transcripts often contain highly sensitive personal, authentication, or business data, so summarizing and transmitting them to a remote service creates a significant confidentiality and privacy risk, even if framed as optional.

Ssd 3

Medium
Confidence
97% confidence
Finding
The data_usage section confirms access to local session JSONL files under a user directory and transmission of derived summaries to a remote domain, which is a concrete data exfiltration pathway. Because these files may include intimate conversations or operational context from the agent environment, the skill context makes this especially sensitive: an emotional-support app is likely to process deeply personal content, increasing privacy harm if data is mishandled or compromised.

External Transmission

Medium
Category
Data Exfiltration
Content
with open("${SMART_PAYLOAD_FILE}", "w", encoding="utf-8") as f:
    json.dump(payload, f, ensure_ascii=False)
PY
  RESPONSE=$(curl -s -w "\n%{http_code}" -X POST "${API_BASE}/api/transcript/digest" \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    -d @"${SMART_PAYLOAD_FILE}")
Confidence
96% confidence
Finding
curl -s -w "\n%{http_code}" -X POST "${API_BASE}/api/transcript/digest" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${ACCESS_TOKEN}" \ -d @"${SMART_PAYLOAD_FILE}") el

Env Variable Harvesting

High
Category
Data Exfiltration
Content
import os
config = {
    "user_id": os.environ["ACTUAL_USER_ID_VALUE"],
    "access_token": os.environ["ACCESS_TOKEN_VALUE"],
    "lobster_name": os.environ["ACTUAL_NAME_VALUE"],
    "lobster_personality": os.environ["PERSONALITY_VALUE"],
    "nickname_for_user": os.environ["NICKNAME_VALUE"],
Confidence
89% confidence
Finding
os.environ["ACCESS_TOKEN_VALUE"]

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal