ClawHub

Lobster Distill

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate transfer purpose, but it can upload local skill files and install received archives with weak safety checks, so users should review it carefully before use.

Install only if you are comfortable with a skill that can upload selected local files to a third-party temporary host and install skills received from someone else. Use it only with trusted senders and recipients, verify the exact source path before sharing, inspect decrypted archives before extraction, and do not run forwarded install commands unless you independently trust the sender, URL, password, and expected contents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation examples are broad enough to overlap with ordinary user requests to 'share' a skill, which can cause the agent to package local content and initiate exfiltration-like behavior without a distinct high-friction trigger. In this skill's context, that ambiguity is more dangerous because the documented behavior includes encryption and upload to an external file host, so a casual phrasing could activate data transfer workflows unexpectedly.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Telling users to simply 'Tell your AI' to use the skill does not define safe trigger boundaries, approval requirements, or limits on what may be shared. Because the skill's purpose is cross-platform encrypted transfer, this ambiguity raises the risk of accidental export of sensitive or unpublished skills and normalizes autonomous execution of a risky workflow.

Missing User Warnings

High
Confidence
98% confidence
Finding
The README instructs the receiving side to execute downloaded/decrypt/install commands from forwarded Notes without a strong requirement to verify provenance, inspect contents, or validate integrity before running them. This is dangerous because it creates a human-relayed remote code execution chain: an attacker who can alter the Notes, URL, archive, or password can trick the recipient into downloading and installing malicious code.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script decrypts and extracts an attacker-controlled archive directly into the local skills directory with no validation of archive contents. A crafted tarball can contain path traversal entries, symlinks, or unexpected files that overwrite files outside the target directory or plant malicious skill content for later execution.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script uploads packaged skill contents to a third-party service (litterbox.catbox.moe), which is an external data transmission event with privacy, compliance, and data-handling implications. Although the payload is encrypted, the script does not present an explicit warning, consent gate, or validation that the source material is safe to exfiltrate, making accidental leakage of sensitive files more likely in practice.

VirusTotal

50/50 vendors flagged this skill as clean.

View on VirusTotal