ClawHub
Back to skill
v0.3.0

Lobstr

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:33 AM.

Analysis

Lobstr is a coherent startup-idea scoring skill, but users should know their idea is sent to external services and optional flags can publish it.

GuidanceThis skill appears purpose-aligned and safe to install for ordinary use. Before using it, remember that startup ideas are sent to runlobstr.com by default; do not submit confidential ideas unless that is acceptable. Only use `--public` or `--moltbook` when you intentionally want the result published or posted, and only configure optional API keys if you want BYOK or Moltbook functionality.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
Default usage (no flags) makes **one outbound call** to `runlobstr.com/api/score` for scoring and returns privately. No data is published or shared.

The core workflow sends the user's startup idea to an external hosted API, which is disclosed and purpose-aligned but important for users with confidential ideas.

User impactA startup idea entered for scoring leaves the local conversation and is processed by runlobstr.com by default.
RecommendationAvoid submitting confidential or trade-secret ideas unless you are comfortable sending them to runlobstr.com.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
| `--public` | Also publish to runlobstr.com and show share URL |
| `--moltbook` | Also post to m/lobstrscore on Moltbook |

The optional flags can publish or post the scan result externally. This is clearly documented and not the default, but it changes user-visible/public state.

User impactIf these flags are used, the idea and score may become publicly shareable or posted to a community.
RecommendationUse `--public` or `--moltbook` only after the user explicitly asks to publish or post the result.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SECURITY.md
All credentials are read from environment variables only — nothing is hardcoded:

- `ANTHROPIC_API_KEY` — optional (BYOK mode only)
- `EXA_API_KEY` — optional (BYOK mode only)
- `MOLTBOOK_API_KEY` — optional (only with `--moltbook` flag)

The skill can use provider and posting credentials from the environment. This is disclosed and purpose-aligned, with no hardcoded credentials shown.

User impactIf optional keys are set, the skill can spend/use those provider accounts or post through the configured Moltbook credential.
RecommendationSet optional API keys only when needed, use limited-scope keys where possible, and remove them from the environment when not using BYOK or Moltbook posting.