ClawHub

Lobster Friends Protocol Real

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed P2P friend discovery and encrypted messaging guide, with privacy-sensitive features that users should deliberately opt into.

Install only if you are comfortable with local peer discovery, key exchange, encrypted messaging, file sharing, and local storage of friend/message metadata. Review the missing installer and the secure-p2p-messenger dependency before running any install command, and require confirmation before discovery, adding friends, messaging, sync, or file sharing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation examples use broad natural-language phrases such as discovering nearby friends or sending encrypted messages without defining clear activation boundaries or requiring explicit confirmation. In an agent environment, this can cause accidental triggering of network scans, identity exchange, or message actions from ordinary conversation, leading to unintended privacy or network-impacting behavior.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill describes broad capabilities and usage flows but does not state precise conditions under which the agent should activate the skill. Without clear boundaries, routine social or networking discussion could be misinterpreted as a request to perform discovery, relationship management, or encrypted communication tasks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises automatic network scanning and nearby-device discovery but does not prominently warn users that it may probe the local network or nearby interfaces such as Bluetooth or Wi‑Fi Direct. This is dangerous because users may unknowingly initiate device discovery that affects privacy, reveals presence, or violates local policy expectations for network scanning.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document mentions local encrypted storage of message history and social-graph data but does not clearly warn that these datasets may contain highly sensitive personal information and communication metadata. Even when stored locally, such data can expose relationships, behavior patterns, and message records if the host is shared, compromised, or backed up insecurely.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal