ClawHub

Lobster Companion Real

Security checks across malware telemetry and agentic risk

Overview

This companion-coordination skill is mostly coherent, but it asks users to set up sensitive sharing features and even normalizes sharing passwords without enough guardrails.

Review this carefully before installing. Do not use it to share passwords, recovery codes, financial secrets, or account credentials. Only use location, health, emergency, and monitoring features with explicit ongoing consent from both people, and confirm there are clear ways to pause sharing, revoke access, delete stored data, and contact official emergency services separately.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill describes real-time location sharing, emergency signaling, and private companion messaging, but does not present a prominent warning about the privacy, stalking, coercion, or false-alert risks of these features. In a companion-oriented skill, these capabilities are inherently sensitive and can enable abuse or unsafe oversharing if users are not clearly warned and guided at the point of use.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document promotes sharing highly sensitive categories of data, including health information and especially passwords, but does not include a clear warning that these secrets should generally not be shared, even with a partner. Because this skill is framed as a trusted companion system, users may be socially nudged into dangerous disclosure that could lead to account compromise, privacy violations, or abuse.

Ssd 3

Medium
Confidence
98% confidence
Finding
The phrase suggesting a shared resource pool that includes passwords is a direct natural-language instruction to share highly sensitive secrets. Even without implementation code in this file, normalizing password sharing in a relationship-management skill is dangerous because it encourages insecure behavior and may facilitate coercion, lateral account compromise, and long-term loss of control over personal accounts.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal