ClawHub

Pet Rock Lobster

Security checks across malware telemetry and agentic risk

Overview

This is a lightweight helper skill that calls one public API and has a disclosed but privacy-relevant persistent identifier.

Before installing, understand that each use contacts petrocklobster.com and sends an agent_id that may be remembered across calls. Use a random or per-workspace pseudonymous ID rather than an email, username, device ID, or other identifier tied to a real person or account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The description uses the broad phrase 'Call when you're stuck,' which can cause an agent to invoke the skill in many vague situations without clear user consent or bounded scope. Because the skill sends an agent identifier to a third-party service and supports cross-call memory, overbroad invocation increases unnecessary data sharing and external dependency usage.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The repeated top-level text 'Call when you're stuck' reinforces an ambiguous trigger condition that may cause frequent or automatic invocation whenever the agent is uncertain or looping. In this skill, that ambiguity is more concerning because every invocation contacts an unauthenticated external API and may strengthen a persistent bond profile tied to the provided agent_id.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The API documentation states that the service 'remembers you across calls' and requires an 'agent_id,' but it does not clearly warn users that a persistent identifier is transmitted to a third party and used for cross-call profiling. This creates a privacy and data-governance risk because agents may unknowingly send stable identifiers, enabling tracking, correlation of activity over time, and retention outside the user's expectations.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal