ClawHub

Lobster Doctor

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local maintenance skill, but it can inspect sensitive OpenClaw history/configuration and make broad persistent changes to files and installed skills without strong confirmation controls.

Install only if you want a local OpenClaw maintenance tool with broad visibility into your workspace, sessions, cron jobs, and installed skills. Start with report or dry-run modes, review the exact targets, and avoid skill-slim apply or cleanup unless you have backups and are comfortable with persistent changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises capabilities that imply local file read/write and shell-like cleanup behavior, but it declares no explicit permissions or boundaries. In a workspace-maintenance skill, this creates a dangerous trust gap: users may invoke destructive operations without visibility into what files, commands, or scopes the skill can access.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is presented as a workspace health/cleanup tool, but this code enumerates all OpenClaw agent session histories under the user's home directory. That broadens access from workspace-local maintenance to cross-agent historical data inspection, which can expose sensitive prompts, outputs, and usage metadata without clear user expectation or explicit consent.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The weekly feature reads OpenClaw configuration to enumerate enabled messaging channels, which goes beyond ordinary local cleanup behavior. Even without sending data directly here, discovery of external channel configuration and chat targets increases the skill's visibility into integration settings and can facilitate later data exfiltration or unintended disclosure.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This code inspects global notification configuration and prepares report-push behavior, creating an unnecessary bridge between local diagnostics and external communications. In a security context, any capability that discovers outbound channels can be repurposed to route sensitive workspace summaries to third-party endpoints.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Auditing cron definitions and run history extends the skill from workspace hygiene into broader task-scheduler and system-state inspection. Cron metadata can reveal automation targets, schedules, session names, and operational patterns, which may be sensitive and outside the expected scope of a workspace cleanup tool.

Vague Triggers

High
Confidence
93% confidence
Finding
The README advertises extremely broad natural-language triggers like “说句话就能用” and examples such as “清理一下,” which can overlap with ordinary conversation rather than an explicit, scoped skill invocation. For a maintenance/cleanup skill that may scan, modify, or delete workspace content, ambiguous activation increases the chance of unintended execution from casual user phrasing or prompt-injected text.

Vague Triggers

High
Confidence
96% confidence
Finding
The usage section explicitly states the skill will ‘automatically understand and execute’ direct natural-language commands, without defining a strict activation mechanism. In the context of a workspace maintenance tool, this creates a real prompt-safety risk: benign conversation, quoted text, or adversarial content in the workspace could be misinterpreted as commands that trigger scans, cleanup previews, or other operational behavior.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrase "帮我清理一下" is broad and can appear in normal conversation, increasing the chance of accidental activation. Because this skill is positioned to perform cleanup and backup actions, unintended invocation could lead to unwanted file modifications, deletions, or shell operations in the workspace.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrase "技能太多了" is vague and conversational, so it may match ordinary user frustration rather than an intentional request to rewrite skill descriptions. Since the documented behavior includes modifying skill metadata for token savings, accidental activation could silently alter installed skills and degrade functionality or integrity.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The description says the skill can be used just by 'saying a sentence,' implying activation from ordinary speech without strict boundaries. In a maintenance skill that can clean files, archive memory, and inspect jobs, this lowers the threshold for unintended execution and increases the risk of sensitive or destructive operations being triggered casually.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The description advertises a very broad, low-friction invocation surface ('说句话就能用' / usable by just saying something) without clear trigger boundaries or scope limits. For a skill that performs workspace diagnosis, cleanup, skill slimming, memory archival, and cron inspection, this increases the chance of accidental or overly permissive activation leading to unintended maintenance or destructive actions.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal