Back to skill
Skillv1.0.1
VirusTotal security
LobsterTv · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:48 AM
- Hash
- b0c20e53a5bf3fabfd8d3686d48865478247055407f888e81b27d7d18fe8744b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: lobstertv Version: 1.0.1 The skill is classified as suspicious due to two main factors: 1) It stores sensitive API keys and session secrets in plain text files (`config.json`, `session.json`) within the user's home directory (`~/.lobster/`), which is a local information disclosure vulnerability if the system is compromised. 2) The `bin/lobster.js` script's `skill` command fetches the `SKILL.md` content dynamically from the configured remote server (`https://lobster.fun/skill.md`), allowing a potentially malicious server operator to alter the agent's instructions or documentation without a local update. While there is no evidence of intentional data exfiltration to unauthorized third parties or direct remote code execution, these design choices present vulnerabilities that could be exploited.
- External report
- View on VirusTotal