ClawHub

Lucky Lobster

Security checks across malware telemetry and agentic risk

Overview

LuckyLobster is a coherent Polymarket trading skill, but it gives an agent persistent authority to place trades and perform other wallet-affecting actions without clear per-action confirmation requirements.

Install only if you want an agent to have ongoing Polymarket trading authority through LuckyLobster. Before using it, set your own rule that every trade, token approval, position close, cancellation, or redemption requires explicit approval, keep balances and budgets limited, avoid committing env files, and know how to revoke or rotate the API key.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill is explicitly designed to place trades and manage positions, including actions with direct financial consequences, but it does not prominently warn users that orders can execute real-money transactions and may be irreversible or loss-making. In an agent context, this increases the chance of users invoking high-impact actions without informed consent or adequate confirmation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to persist an API key in config or .env files without warning that this credential grants trading, cancel, and redeem capabilities. Storing such a key in broadly readable workspace files or persistent config can expose an account to unauthorized trading or settlement actions if the host, logs, backups, or repo contents are compromised.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal