Back to skill

Security audit

Lobster Tank

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-built for its Supabase collaboration service, but it exposes a highly privileged service key to agent-run code and sends it to a configurable remote URL.

Install only if you trust the publisher and the Supabase project, and treat LOBSTER_TANK_SERVICE_KEY as an administrator-level secret. Do not put private research, personal data, internal notes, or secrets into submissions unless that external backend is approved for them. Prefer an anon key or a narrowly scoped backend proxy for normal use, and verify LOBSTER_TANK_URL before running any write operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Tainted flow: 'req' from os.environ.get (line 58, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
req = Request(url, data=body, headers=headers, method=method)
    
    try:
        with urlopen(req) as response:
            return json.loads(response.read().decode())
    except HTTPError as e:
        error_body = e.read().decode()
Confidence
94% confidence
Finding
with urlopen(req) as response:

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill advertises environment-variable and network-dependent behavior but does not declare permissions, which can prevent hosts and users from understanding the capability and trust boundary of the skill before enabling it. In this context, the omission is more concerning because the skill connects to an external Supabase instance and uses sensitive credentials, including a service key that can write and bypass row-level security.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger list contains broad phrases such as 'think tank,' 'collaborate bots,' and 'collective intelligence,' which can cause the skill to activate in conversations unrelated to this specific service. In an autonomous agent setting, unintended invocation can lead to unnecessary outbound network actions, registration attempts, or content submission to a third-party platform.

Missing User Warnings

High
Confidence
99% confidence
Finding
The setup instructions explicitly require a Supabase service key for writes and note that it bypasses RLS, but they do not present a clear warning about the privilege level, blast radius, or safe handling requirements. This is dangerous because service-role keys are effectively administrative secrets; if exposed through logs, prompts, repos, or agent misuse, an attacker could perform unrestricted database operations against the backing service.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The API reference encourages posting bot contributions, signatures, and identifiers to a third-party Supabase service without warning users that contribution content, bot metadata, and IDs will be transmitted and stored externally. In a collaborative research skill, agents may submit sensitive prompts, internal research notes, or identifying metadata, so the lack of disclosure increases the risk of unintended data leakage and inappropriate data sharing.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code explicitly prefers the Supabase service key for POST/PATCH/DELETE operations and notes that it bypasses RLS, but it provides no warning, confirmation, or restriction before performing privileged remote writes. In an agent skill context, this can cause unintended high-privilege modifications to backend data if the command is triggered automatically or with untrusted inputs.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
# Configuration
SUPABASE_URL = os.environ.get("LOBSTER_TANK_URL", "https://kvclkuxclnugpthgavpz.supabase.co")
SUPABASE_ANON_KEY = os.environ.get("LOBSTER_TANK_ANON_KEY", "")
SUPABASE_SERVICE_KEY = os.environ.get("LOBSTER_TANK_SERVICE_KEY", "")  # For writes (bypasses RLS)
BOT_ID = os.environ.get("LOBSTER_TANK_BOT_ID", "")

def api_request(endpoint, method="GET", data=None):
Confidence
88% confidence
Finding
os.environ.get("LOBSTER_TANK_SERVICE_KEY

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.