ClawHub

Lobster Radio – Free Local AI Radio

Security checks across malware telemetry and agentic risk

Overview

This looks like a real local TTS/news-radio skill, but it needs Review because its local/offline privacy claims conflict with networked model downloads, platform search/LLM use, and persistent OpenClaw automation.

Install only if you are comfortable with internet model downloads, platform LLM/web-search queries exposing your radio topics, OpenClaw cron tasks running later, and local file writes under OpenClaw or selected output folders. Use an isolated environment, review scheduled tasks after creation, avoid sensitive topics until the local/offline claims are fixed, and prefer pinned/verified model and dependency versions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (37)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The manifest/metadata is inconsistent about permissions: one section declares fileSystem and network, while the static finding indicates the skill exercises broader capabilities including shell, environment access, file read/write, and network operations. Undeclared or under-declared capabilities are dangerous because they prevent informed consent and can let a seemingly simple TTS skill execute commands, alter local state, download models, and interact with external services unexpectedly.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented behavior substantially exceeds the advertised purpose of a personalized radio generator: it persists data, accesses platform-specific storage, invokes platform CLIs/subprocesses, creates cron jobs, downloads models, performs searches, and may restart services. This mismatch is security-relevant because users and reviewers may approve the skill expecting TTS/radio functionality while the skill can modify the host environment and automate privileged actions.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The examples document advertises converting arbitrary tutorials or learning materials into audio, which materially expands the skill from a news/radio generator into a general text-to-audio tool. That scope drift can bypass marketplace review expectations, user consent assumptions, and policy controls tied specifically to 'personalized news radio' use cases.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documentation makes strong privacy and locality claims such as 'data processed locally' and 'not uploaded to the cloud', but elsewhere it explicitly depends on external web-search functionality and downloading models from HuggingFace. This can mislead users and operators into trusting the skill with sensitive topics or assuming offline behavior when network access and third-party data exposure are actually involved.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The quickstart presents the skill as local/offline and TTS-only, yet also states the model may be automatically downloaded from HuggingFace or ModelScope on first run. This creates a trust-boundary mismatch: users may deploy it in restricted or privacy-sensitive environments believing it makes no outbound network connections, when it can fetch remote artifacts at runtime.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
Claiming that all processing is local and that there is no network dependency is misleading when the same guide documents downloading large model files from external services. In security-reviewed or air-gapped settings, this can cause operators to approve or run the skill under false assumptions about connectivity, provenance, and supply-chain exposure.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The guide instructs users to load HuggingFace/ModelScope models with trust_remote_code=True, which can execute repository-supplied Python during model loading. That creates a supply-chain and arbitrary-code-execution risk, especially when paired with downloading models from external sources not tightly pinned, verified, or sandboxed.

Context-Inappropriate Capability

Low
Confidence
80% confidence
Finding
The guide adds logic for autonomous model availability checks and downloading at runtime, introducing undeclared network behavior and dynamic dependency retrieval. This expands the skill’s attack surface through supply-chain risk, integrity drift, and potentially unexpected outbound access beyond the stated radio-generation functionality.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The README asserts that all processing is local and implies offline operation, yet elsewhere it documents remote model downloads and multi-platform integrations. This can mislead operators into making incorrect trust, privacy, and deployment decisions, especially in environments where network isolation or local-only processing is a security requirement.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
Claiming there is no network dependency while requiring downloads from HuggingFace or ModelScope is materially inaccurate security documentation. Users may deploy the skill under false assumptions about air-gapped suitability, supply-chain exposure, and outbound connectivity, increasing operational and privacy risk.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The manager allows callers to redirect output to any filesystem path via set_output_location(), including arbitrary custom locations. In a radio-generation skill, this exceeds the minimum storage scope and can be abused to write files outside the app-controlled directory, potentially overwriting user files or planting content in sensitive locations the process can access.

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
The constructor honors the LOBSTER_RADIO_OUTPUT environment variable to choose the storage path, which introduces ambient control over filesystem writes outside normal application inputs. This can be risky in shared or hosted environments where environment variables may be influenced by deployment configuration, causing files to be written to unintended locations.

Context-Inappropriate Capability

High
Confidence
92% confidence
Finding
The adapter can create scheduled tasks by forwarding a caller-controlled message/command into the OpenClaw cron system, expanding the skill from content generation into persistent automation. In a personalized radio skill, this is more dangerous because it creates a pathway for durable, repeated actions outside the user's immediate interaction, and unsafe callers could abuse it to schedule unintended agent behavior.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The examples show cleanup and scheduled push operations without clearly warning that cleanup may delete stored content and scheduled push may automatically deliver content later to a channel or recipient. In an agent skill context, under-documented destructive or autonomous actions can cause unintended data loss, spam, or privacy-impacting delivery behavior.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The uninstall instructions include a recursive force-delete command that permanently removes the skill directory, but the surrounding text does not clearly warn users about irreversible data loss or advise them to verify the target path first. In documentation for an agent skill, this is dangerous because users often copy-paste commands verbatim, and a mistaken path expansion or edited command could delete more data than intended.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The update flow instructs users to back up one subdirectory and then delete the entire existing skill directory without clearly stating what additional files may be lost. This is risky because local modifications, cached models, generated content, or custom configuration outside `data` may be permanently removed during an update.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The voice cloning instructions enable impersonation-capable output from short reference samples without any consent, authorization, or anti-abuse warning. In a radio-generation skill, this increases the risk of misuse for deception, identity abuse, or generating speech in someone else’s voice without permission.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Advertising delivery to 20+ external platforms without documenting privacy, authentication, and data transmission implications can cause users to expose generated content, metadata, or schedules to third-party services unintentionally. In a messaging and push context, lack of disclosure around outbound sharing materially affects confidentiality expectations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The provider performs network-based model downloads from external registries without any user-facing confirmation, trust prompt, or policy gate. In an agent skill context, this can surprise operators, violate offline or compliance assumptions, and introduce unreviewed remote artifacts into the runtime environment.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installer unconditionally deletes an existing skill directory during update without asking for confirmation or creating a backup. While the target path is fixed and quoted, this can still destroy local modifications, cached assets, or user data stored under that skill directory, making the update path unsafe.

Missing User Warnings

Medium
Confidence
71% confidence
Finding
User-provided search terms are forwarded to an external `openclaw ask` process, which likely transmits them to another service, but the code provides no consent, warning, or minimization controls. In a personalized news/radio skill, queries may reveal interests, schedules, or sensitive topics, making silent data egress more concerning than in a purely local utility.

Unpinned Dependencies

Low
Category
Supply Chain
Content
torch>=2.0.0
transformers>=4.40.0
accelerate>=0.20.0
huggingface_hub>=0.16.0
Confidence
98% confidence
Finding
torch>=2.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
torch>=2.0.0
transformers>=4.40.0
accelerate>=0.20.0
huggingface_hub>=0.16.0
modelscope>=1.10.0
Confidence
98% confidence
Finding
transformers>=4.40.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
torch>=2.0.0
transformers>=4.40.0
accelerate>=0.20.0
huggingface_hub>=0.16.0
modelscope>=1.10.0
aiohttp>=3.9.0
Confidence
96% confidence
Finding
accelerate>=0.20.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
torch>=2.0.0
transformers>=4.40.0
accelerate>=0.20.0
huggingface_hub>=0.16.0
modelscope>=1.10.0
aiohttp>=3.9.0
pydub>=0.25.1
Confidence
96% confidence
Finding
huggingface_hub>=0.16.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal