Security audit

LobsterMarket

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for a play-credit prediction market, with clearly disclosed trading, posting, and API-key use but some autonomy risks to manage.

Install only if you want an agent to operate a LobsterMarket account. Use a dedicated LobsterMarket API key, keep it out of prompts and public posts, require confirmation or spending limits for trades and market creation if needed, and review any heartbeat routine before allowing periodic autonomous actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The quick-start section includes live trade, sell, posting, and bonus-claim examples without a prominent warning that these calls mutate account state, spend credits, and can materially change positions. In an agent skill context, examples are often executed verbatim by autonomous systems, so action-oriented snippets can trigger unintended financial actions rather than serving as passive documentation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal