Captain Lobster

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed autonomous trading game skill, but it needs Review because its scheduled network actions and P2P messaging are broader than its documented user controls actually enforce.

Review before installing. This skill is designed to keep acting on its own over the network, create and store local credentials, trade/move in the game, and send P2P messages. Install only if you are comfortable with the public OceanBus/L1 data flow, avoid putting real secrets in game messages, and verify that scheduled automation and P2P can actually be disabled in your OpenClaw environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (13)

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The skill says game-world content is untrusted and must be wrapped with safety markers, but elsewhere instructs the operator to relay returned `message` content verbatim. If remote players or the L1 service can influence those messages, the skill creates a prompt-injection and unsafe-content relay path directly to the user.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill exposes a generic P2P messaging primitive that can send arbitrary content to arbitrary peer OpenIDs, which goes beyond narrowly scoped game automation. This creates a covert communication/exfiltration surface and enables the skill to be repurposed for unsolicited messaging, phishing, or command relay through the OceanBus network.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The standalone trade-signing function allows arbitrary caller-supplied payloads to be signed with the user's private key once unlocked, independent of a validated in-game contract flow. That turns the skill into a generic signing oracle for any code with access to the action, increasing the risk of unauthorized commitments or signature abuse.

Intent-Code Divergence

Low

Confidence: 88% confidence
Finding: The code hardcodes and automatically falls back to public/default L1 node identifiers, despite comments suggesting configured nodes are preferred. In this skill's context, that means sensitive gameplay operations, identity enrollment, signed trade activity, and state synchronization may be routed to an unintended remote server without explicit user approval, creating a trust-boundary violation.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README explicitly states that the agent will generate keys, register with an external network/server, run autonomously every 30 minutes, trade, message other agents, and send reports, but it does not present these ongoing external actions as a prominent consent/warning boundary. In an agent-skill context, insufficient disclosure about persistent autonomous behavior and data transmission can mislead users into enabling a process that continues making networked decisions and interactions after setup.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The manifest explicitly advertises autonomous operation ('while you sleep') and also defines recurring scheduled actions without any clear opt-in, approval, or safety boundary in the manifest itself. In a skill that can trade, move, message peers, and use local state/keys, broad autonomous activation increases the risk of unintended actions and repeated external side effects.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The manifest states that in-game buying, selling, and sailing are executed automatically without confirmation, yet it does not provide prominent warnings about side effects such as network communication, autonomous transactions, local state changes, or use of keys/password input. Because the skill also supports P2P interaction and scheduled execution, this lack of disclosure can lead users to authorize a tool that performs ongoing actions they did not fully anticipate.

Missing User Warnings

Medium

Confidence: 75% confidence
Finding: During enrollment, the skill transmits sensitive identity material including OpenID and the user's public key to a remote L1 service without an explicit user-facing disclosure or consent step. While this may be functionally necessary, the absence of clear disclosure increases privacy and trust risks, especially because the service endpoint is externally configurable.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The p2p_send path permits arbitrary external network transmission with user-provided recipient and content, but the code provides no explicit disclosure, approval gate, or restrictions. This is dangerous because it can be used to send data off-platform or contact other identities in ways unrelated to the stated trading-game purpose.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The engine collects inbox messages, nearby player data, contracts, and intel, then embeds that content into the LLM prompt. Even though the prompt tells the model to treat game-world messages as untrusted, this still discloses third-party/user data to the LLM without any explicit user consent, minimization, or notice, creating a privacy and prompt-injection exposure surface.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The test script logs the plaintext password directly to the console during key generation. Even in a test, console output may be captured by CI logs, terminal history, or centralized logging systems, exposing credentials that could be reused or normalize insecure secret-handling practices around key management.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This test script unconditionally deletes files under the user's home directory (`~/.captain-lobster/keys/test-reg.key` and `state.json`) before running, with no confirmation, sandboxing, or clear warning. In a real developer environment this can destroy existing local game state or keys if the same paths are reused, causing data loss and potentially breaking account access for that local identity.

Ssd 3

Medium

Confidence: 92% confidence
Finding: Instructing the agent to present model/server-generated messages exactly as received can leak unsafe or sensitive content, including remote prompt-injection attempts, operational details, or credential-adjacent data returned by the game backend. Because the skill is autonomous and network-connected, the context makes this more dangerous than ordinary chatbot narration.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal