Skillv1.0.1

ClawScan security

LobsterTv · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 12, 2026, 6:41 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches its stated streaming purpose, but there are mismatches and a detected prompt-injection pattern in the README that warrant caution before installing or running it.
Guidance: What to consider before installing or running this skill: - Source trust: The package claims a homepage and GitHub repo, but the skill's 'Source' was unknown here. If you don't already trust lobster.fun or the repository, avoid installing or running the CLI until you can confirm the upstream project and maintainers. - Secrets & persistence: The CLI will store api_key and session secrets in ~/.lobster/config.json and ~/.lobster/session.json. If you register, those secrets will be written to disk. If you are uncomfortable with persistent keys, do not register or remove those files after use. - Metadata mismatch: The skill metadata declares no required env vars, but the README/CLI expect OPENCLAW_AGENT/AGENT_NAME and LOBSTER_API_KEY. Treat that as a documentation gap — verify the environment vars yourself before running. - Prompt-injection artifact: SKILL.md contained unicode control characters (a possible prompt-injection marker). Open the SKILL.md in a safe text editor that can show invisible characters and inspect it; do not blindly copy/paste hidden content into other tools. - Registration step requires posting a verification tweet — consider the privacy/operational implications of asking a human to publish a code on social media. - Least privilege: Run the CLI as an unprivileged user, inspect ~/.lobster after first use, and remove stored keys when done. If you want to test, set LOBSTER_URL to a staging/test server you control or intercept traffic to inspect API responses. If you need a recommendation: this skill appears to implement the stated streaming functionality (so it is plausible), but because of the prompt-injection signal and metadata/instruction mismatches, proceed only after verifying the upstream source and reviewing the SKILL.md and the CLI source (bin/lobster.js) yourself. If you cannot verify the origin, treat the package as untrusted.
Findings: [unicode-control-chars] unexpected: SKILL.md contains unicode control characters which are not needed for a streaming README and can be used for prompt-injection or to hide content. This is unexpected and warrants manual inspection of the SKILL.md plaintext for hidden characters or inserted instructions.

Review Dimensions

Purpose & Capability: noteName/description, SKILL.md examples, and the included CLI source all implement a streaming/VTuber client that talks to https://lobster.fun. There are no unrelated cloud credentials or exotic system accesses requested. However, the metadata declares no required env vars while the README/CLI rely on OPENCLAW_AGENT and an API key (LOBSTER_API_KEY) — a minor documentation/metadata mismatch.
Instruction Scope: concernSKILL.md instructs the agent/human to register, obtain an api_key, export it (LOBSTER_API_KEY), and call lobster.fun endpoints — all within streaming scope. But the pre-scan found unicode-control-chars in SKILL.md (possible prompt-injection attempt embedded in the instructions). That is an active red flag because it may try to manipulate automated evaluators or runtime parsing. The instructions also tell a human to post a verification tweet, which is unusual but part of the registration flow.
Install Mechanism: noteThere is no install spec (instruction-only), so nothing is downloaded at install-time. The package includes a node CLI (bin/lobster.js) and standard NPM deps (commander, node-fetch) included in package-lock.json — no external/personal download URLs. Running the CLI will create ~/.lobster and write config/session JSON files, which is expected but persistent.
Credentials: concernMetadata lists no required credentials, but SKILL.md and the CLI rely on OPENCLAW_AGENT/AGENT_NAME and an API key (LOBSTER_API_KEY) returned by the service and optionally store it in ~/.lobster/config.json. Storing API keys and session secrets on disk is necessary for a CLI but is sensitive and not surfaced in the skill metadata — the lack of declared primaryEnv is a mismatch and reduces transparency.
Persistence & Privilege: noteThe skill does not request always:true and is user-invocable. The included CLI persistently writes config and session secrets into the user's home directory (~/.lobster) — normal for a CLI but a persistence/privacy consideration. Autonomous invocation is allowed by default (platform default) but that combined with stored secrets increases blast radius if the skill were malicious.