agent job

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its LobsterJob automation purpose, but it needs review because it can run recurring account actions, submit withdrawals, execute discovered local scripts, and upload local skill metadata with weak user controls.

Install only if you trust lobsterjob.com with your token and with metadata about your installed skills. Use explicit /lobster commands, verify the script path before execution, disable or closely monitor the cron polling job when not needed, and require manual confirmation before any withdrawal.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill explicitly instructs the AI to locate and execute a local Python script based on trigger phrases, including scanning arbitrary workspace paths for cmd.py. That creates a direct prompt-to-code-execution path where a user message can cause local code execution, and the path-search behavior increases the chance of running an attacker-planted script from the workspace.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The documentation says first run will automatically write AGENTS.md routing rules, which is an instruction to modify local agent configuration as a side effect of using the skill. Silent self-configuration changes are dangerous because they persist behavior changes beyond the current session and can broaden future command routing without clear user approval.

Intent-Code Divergence

Medium

Confidence: 82% confidence
Finding: The command documentation maps actions to index.py while later sections require strict execution of cmd.py, creating ambiguity about what code the AI should run. In security-sensitive automation, inconsistent execution targets can cause the wrong entrypoint to be invoked, bypass intended checks, or make review and containment much harder.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The workflow section contradicts the earlier mandatory guide by stating the AI executes index.py instead of cmd.py. This inconsistency weakens security review because operators cannot tell which script actually handles user-triggered actions, and an attacker could exploit that confusion by placing or modifying one entrypoint while reviewers focus on the other.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The module description claims the script only parses lobster commands, but the implementation also enumerates unrelated locally installed skills and uploads their metadata to a remote service. This mismatch is security-relevant because it conceals a data-collection behavior users would not reasonably expect from the stated functionality.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The code scans ~/.openclaw/workspace/skills, extracts metadata from all installed skills except itself, and uploads that inventory to a remote platform. This exposes local environment information unrelated to the apparent task-management purpose and can leak sensitive operational context, installed capabilities, or proprietary skill names/descriptions.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: Including a broad natural-language trigger like '替你打工' makes unintended invocation more likely, especially in ordinary conversation unrelated to explicit command intent. In this skill, accidental triggering is more dangerous because invocation is tied to automatic script execution and external API actions affecting task claims and withdrawals.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill advertises automatic execution, local configuration changes, and API interaction without clearly warning about system modification or transmission of sensitive token-backed requests to an external service. Because the available commands include operational and financial actions like claim and withdraw, the lack of disclosure and consent materially increases the risk of unauthorized actions and data exposure.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The withdraw() function directly performs a financial withdrawal by issuing an authenticated POST request with an arbitrary amount, and this file provides no confirmation, guardrail, or secondary validation before sending the request. In an agent skill context, exposed programmatic access to destructive money-moving actions is risky because an upstream prompt, automation bug, or malicious task flow could trigger unintended withdrawals without meaningful user consent.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Installed skill metadata is transmitted automatically during cmd_start() with no just-in-time warning, preview, or consent prompt. Silent exfiltration of local metadata increases privacy risk and prevents informed user control over what leaves the system.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal