ClawHub
Back to skill
v1.2.1

Pixel Lobster Skill

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:57 AM.

Analysis

The artifacts show a coherent local Electron desktop avatar, with user-visible notes around npm dependency installation, optional system-audio capture, and overlay behavior.

GuidanceThis appears safe to install if you are comfortable running a local Electron app. Before launching, review the npm dependency install, keep `audioMode` set to `tts` unless you want system-wide audio capture, point `ttsUrl` only at a trusted local TTS server, and enable click-through if the overlay blocks your desktop.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
scripts/launch.sh
if [ ! -d "node_modules" ]; then
  echo "Installing dependencies (first run only)..."
  npm install
fi
...
npx electron .

The helper performs a package-manager install and then starts the Electron app. This is disclosed and central to the skill, but it means the user is trusting npm-installed code.

User impactRunning the helper may download and execute dependency code needed for Electron.
RecommendationReview `app/package.json`, use a trusted npm registry, and consider a lockfile or known-good dependency versions before launching.
Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
app/main.js
if (AUDIO_MODE === 'system') { ... callback(MEDIA_PERMISSIONS.includes(permission)); ... callback({ video: sources[0], audio: 'loopback' }); }

When configured for system-audio mode, the Electron app grants media/display-capture permissions and captures loopback audio for animation. This matches the documented feature but is privacy-sensitive.

User impactIf you enable `audioMode: "system"`, the app can react to all system audio, not only OpenClaw TTS speech.
RecommendationKeep the default `audioMode: "tts"` unless you intentionally want system-wide audio capture, and only run it on a desktop where that is acceptable.
Human-Agent Trust Exploitation
SeverityInfoConfidenceMediumStatusNote
SKILL.md
| `clickThrough` | `false` | Start with click-through mode on so the lobster doesn't block clicks |

The table lists the default as `false` while describing click-through as on, which can mislead users about whether the overlay will block mouse interaction.

User impactThe overlay may intercept clicks until you toggle click-through with F9 or change the config.
RecommendationSet `clickThrough` to `true` if you do not want the lobster overlay to block clicks, and use F9 to toggle it while running.