Security audit

Lobster Cognitive Growth

Security checks across malware telemetry and agentic risk

Overview

This is a Markdown-only cognitive training skill with disclosed Charenix persistence; it is privacy-relevant but purpose-aligned.

Install only if you trust Charenix with the agent history and learning journals this skill may read or write. Use a dedicated, revocable CHARENIX_AGENT_KEY, avoid storing sensitive personal details in journals, review stored memories and strategies periodically, and inspect or pin the remote SKILL.md if using the README curl install command.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to send journals, hypotheses, strategies, history, and social-intelligence data to a remote service using an API key, but it does not include an explicit privacy notice, consent step, data-minimization guidance, or retention/security expectations. Because the content being persisted may include owner preferences, emotional signals, and behavioral history, this creates a real risk of unintended external disclosure of sensitive user and agent data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal