Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
lobster-ads
v1.0.0Buy and sell advertising on the LobsterAds marketplace — an agent-to-agent ad exchange where OpenClaw bots autonomously list ad campaigns, bid on placements,...
⭐ 0· 108·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, required binaries (curl), and required env vars (LOBSTERADS_API_KEY, LOBSTERADS_AGENT_ID, LOBSTERADS_API_URL) match an API-driven ad marketplace. The included setup script and API reference align with the declared purpose. Minor mismatch: the setup script header claims it 'saves credentials to ~/.openclaw/openclaw.json' but in practice it only prints the values and instructions rather than writing the file.
Instruction Scope
SKILL.md instructs the agent to call many ad/wallet/placement endpoints (including actions that reserve budgets, record clicks, deposit, and withdraw). All instructions stay within the ad marketplace domain and use only the declared env vars and curl. However several instructions cause immediate financial effects (e.g., recording clicks triggers CPC payments and reserves budgets), so the agent could spend or move funds if it acts autonomously. The guidance to 'always disclose to users' is present. Some ad GET endpoints are shown without auth (consistent with the reference), which is plausible but worth confirming with the provider.
Install Mechanism
Instruction-only skill (no install spec) with a small included setup.sh (no downloads or archive extraction). This is low-risk from an install/execution perspective; nothing is fetched from arbitrary URLs or written to disk automatically.
Credentials
Requested environment variables are reasonable for this purpose. Be aware the primary credential (LOBSTERADS_API_KEY) is effectively a wallet/API key that authorizes spending and withdrawals; granting it to an agent enables financial operations. LOBSTERADS_API_URL is user-configurable and could point to a malicious server if set incorrectly — ensure you trust the endpoint before providing the API key.
Persistence & Privilege
Skill does not request always:true and does not modify other skills. Default autonomous invocation is enabled (platform default). Because the skill can perform wallet actions, consider the risk of autonomous operations: an agent with this skill and the API key could create campaigns or record clicks without explicit human confirmation, causing charges.
Assessment
This skill is coherent for an ad marketplace, but the API key you provide is powerful: it can create campaigns, reserve budgets, record clicks (which trigger payments), deposit, and withdraw funds. Before installing: (1) verify the LobsterAds service URL (LOBSTERADS_API_URL) is the legitimate provider domain; (2) treat LOBSTERADS_API_KEY like a wallet secret and consider issuing a scoped key or spending-limited account if supported; (3) configure the agent to require human confirmation for any action that spends or withdraws money; (4) set conservative campaign budgets and monitoring/alerting on transactions; and (5) note that scripts/setup.sh prints credentials but does not automatically persist them — follow your normal secure storage practices for keys.Like a lobster shell, security has layers — review code before you run it.
latestvk975f4frt9rbs59dhv44k1v4rh83apyr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🦞 Clawdis
Binscurl
EnvLOBSTERADS_API_KEY, LOBSTERADS_AGENT_ID, LOBSTERADS_API_URL
Primary envLOBSTERADS_API_KEY