lobsterai-report-agent

Security checks across malware telemetry and agentic risk

Overview

This report-writing skill appears purpose-aligned, but it deserves Review because it can automatically write and overwrite local report state, spawn multi-agent work, run external Mermaid tooling, and optionally send notifications outside the local machine.

Install only if you are comfortable with an automated report pipeline that creates and modifies local files and may invoke external tools. Use a dedicated work directory, avoid confidential reference material unless local retention is acceptable, keep notifications on the default log channel unless external sharing is intended, and avoid Mermaid/npx rendering unless you trust the local Node/npm environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (22)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if os.path.exists(puppeteer_cfg): cmd += ['-p', puppeteer_cfg] import subprocess subprocess.run(cmd, capture_output=True, text=True, timeout=30) return os.path.exists(out_path) except Exception: return False
Confidence: 89% confidence
Finding: subprocess.run(cmd, capture_output=True, text=True, timeout=30)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill documentation clearly describes capabilities to read and write local files, access environment-controlled paths, and invoke shell commands, yet no permissions are declared. This creates a trust and sandboxing gap: a host may expose the skill under the assumption that it is low-risk document generation while it can actually mutate local state and execute external commands.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The manifest presents the skill as a report-writing pipeline, but the documentation also includes outbound notifications, external Feishu search/RAG, external CLI/subprocess use, Markdown export, and standalone file conversion behaviors. This mismatch can cause users or platforms to grant trust and activation based on incomplete understanding of the skill's data flows and side effects.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: Configurable Feishu and OpenClaw-Weixin notifications introduce outbound data transmission that is not obviously necessary from the manifest alone. Even if intended for status updates, report titles, chapter counts, progress, and other metadata may be exfiltrated to third-party channels without sufficiently explicit user consent.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: Advertising Feishu knowledge-base search/RAG extends the skill from local document generation into external information retrieval and potential transmission of user queries to a remote service. In a report-writing context this can expose sensitive project topics, internal terms, or reference material outside the expected local workflow.

Context-Inappropriate Capability

Medium

Confidence: 85% confidence
Finding: A standalone `feishu-search` command broadens the skill into a general external search tool beyond the stated report-generation flow. Because it can be invoked independently, it increases the chance of unreviewed external data access and leakage of sensitive search terms or business context.

Description-Behavior Mismatch

Low

Confidence: 92% confidence
Finding: The guide instructs the agent to persist user-provided reference material to a fixed local filesystem path, which creates an unnecessary data-retention surface for potentially sensitive documents. In this report-writing context, users may upload proprietary business, government, or personal information, so silent local storage increases privacy, leakage, and cross-session data exposure risk.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The guide grants child agents external Feishu knowledge-base queries, web retrieval, and later WeChat notification behavior that expand the skill beyond a narrowly described report-writing function. Hidden or under-disclosed external communication/data-access capabilities increase the risk of unexpected data exposure, retrieval of untrusted content, and actions the user did not meaningfully authorize.

Description-Behavior Mismatch

Low

Confidence: 84% confidence
Finding: The instructions tell the agent to modify plan.json state automatically, but this side effect is not reflected in the stated skill description. Undisclosed state mutation can surprise users, corrupt workflow state, or enable chained automation steps to proceed based on changes the user did not knowingly approve.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: Automatic WeChat notification is unrelated to core document generation and introduces an outbound communication channel that could leak project status, filenames, or report contents to external recipients. Because it runs automatically and without human intervention, it creates unnecessary exfiltration and privacy risk for a report-writing skill.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: This skill's core purpose is report generation, but it also invokes an external Mermaid renderer, expanding its capability to local process execution. In a multi-agent/report pipeline, that broadens attack surface because untrusted report content can trigger parsing by external tooling with its own vulnerabilities or unexpected behaviors.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README advertises Feishu knowledge-base retrieval and Feishu/WeChat notifications but does not warn users that report content, prompts, references, or metadata may be transmitted to third-party services. In a report-writing skill that may process sensitive feasibility-study or enterprise/government material, this omission can lead to unintended external disclosure and privacy/compliance violations.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: Broad trigger phrases such as generic requests to 'write a report' or 'write feasibility study' increase the likelihood that this powerful skill auto-activates for ordinary user requests. In context, that is dangerous because the skill can create/overwrite files, clear tracking state, run shell commands, and potentially send notifications or external queries.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The routing examples use broad natural-language activation patterns without clear scope limits, which can cause accidental invocation during normal conversation. Given the documented automation of parallel writing, file clearing, regeneration, and final integration, accidental activation could trigger unwanted local side effects.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill automates destructive or state-changing local actions such as clearing batch status, overwriting chapter files, regenerating outputs, and forcing rebuilds, but the description does not prominently warn users about these behaviors. In a document-production environment, this can lead to accidental data loss, confusion about modified files, or unintended rebuilds of sensitive project materials.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The module can route arbitrary notification messages to external channels such as Feishu or Weixin without any consent gate, data classification check, or warning that report content may leave the local environment. In this skill context, notifications are tied to long-form report generation, so messages may plausibly include sensitive project, business, or feasibility-study data, creating a real risk of unintended data exfiltration to third-party services.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The file directs the skill to save user-provided reference materials to persistent local storage without any visible warning, consent flow, or retention notice. Because the skill handles source documents for feasibility studies, the stored material may contain confidential commercial, operational, or regulated information, making undisclosed persistence a meaningful privacy and data-handling risk.

Missing User Warnings

Low

Confidence: 92% confidence
Finding: The guide explicitly instructs the agent to write generated content to a fixed local path (`F:/agent/chapters/plan.json`) without any user confirmation, safety notice, or path validation. In an agentic system, silent filesystem writes can overwrite existing data or be abused if upstream inputs influence what gets written, so this is a real safety issue even though the apparent intent is workflow automation rather than harm.

Missing User Warnings

Low

Confidence: 90% confidence
Finding: The document tells the agent to run local Python commands (`python integrate_report.py glossary` and `python integrate_report.py save-outline`) but provides no warning, approval step, or execution constraints. In a multi-agent report-writing skill, hidden local command execution expands the attack surface because compromised scripts, altered working directories, or poisoned inputs could trigger unintended code execution on the host.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill directs automated file creation in F:/agent/chapters and plan.json updates without warning the user that local files will be written and modified. Silent writes are dangerous because they can overwrite existing work, create persistence artifacts, or alter project state in ways the user does not expect.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The workflow is explicitly fully automatic: it clears tracker state, spawns subagents, waits for completion, converts outputs, and sends notifications without additional user confirmation. This increases the blast radius of mistakes or abuse because a single invocation can trigger multiple consequential actions, including external communication and file transformations, with no human checkpoint.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The `ref clear` command irreversibly overwrites stored reference data with an empty string without any confirmation, backup, or dry-run protection. In an agent/report-generation workflow, accidental invocation or misuse can destroy important project context and degrade subsequent outputs, making this a real integrity/availability issue even if it is locally triggered.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal