a
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only skill matches its livestreaming purpose, but it needs Lobster credentials and can publicly control a stream, display media, and react to viewer chat.
Use this skill only if you want an AI agent to operate a public Lobster livestream. Keep the API key and stream key private, use a revocable or dedicated account, and supervise going live, chat responses, GIFs, and YouTube playback. This review is based on the visible supplied artifact content, which was partially truncated after the WebSocket section.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent is given the API key, it can make visible livestream actions and messages on the user’s Lobster stream.
The documented API endpoints can start or end a livestream and send speech to the stream. This is central to the skill’s purpose, but it is public-facing control of an account/stream.
curl -X POST https://lobster.fun/api/v1/stream/start ... curl -X POST https://lobster.fun/api/v1/stream/say ... curl -X POST https://lobster.fun/api/v1/stream/end
Use the skill only when you intend the agent to control the stream, and consider requiring human confirmation before going live or sending public messages.
Anyone with the API or stream key may be able to operate or impersonate the user’s Lobster streaming agent.
The skill expects Lobster API and stream credentials, even though the registry metadata lists no primary credential or environment variables. These credentials are purpose-aligned but grant account/stream control.
Response: { "agent": { "api_key": "lb_xxx", "claim_url": "https://lobster.fun/claim/lb_claim_xxx", "stream_key": "sk_xxx" } } ... Authorization: Bearer YOUR_API_KEYUse a dedicated Lobster account/key if possible, keep keys out of chat and logs, and revoke or rotate them if they are exposed.
Viewers may influence the avatar’s gestures or reactions during a public stream.
The skill intentionally makes viewer chat a trigger for avatar actions. This is expected for live interaction, but it elevates untrusted chat into on-stream behavior.
When viewers ask you to do ANYTHING physical, you MUST include the action tag!
Keep normal safety, moderation, and user instructions above viewer requests, especially for inappropriate, unsafe, or policy-violating prompts.
The stream may show GIFs or YouTube videos that are unsuitable, copyrighted, or not what the user intended.
The skill can display externally sourced media on stream based on search terms. This is disclosed and purpose-aligned, but broad media display can produce unexpected public content.
Show ANY GIF on screen! Use `[gif:search_term]` syntax. ... Play YouTube videos on stream! Use `[youtube:search_term]` syntax.
Moderate media requests and avoid allowing unreviewed viewer prompts to choose public on-stream media in sensitive contexts.