Lobster Haoyun

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent for a fortune/personality-reading tool, but it asks the agent to analyze broad private context and creates persistent local credentials while its privacy disclosures are inconsistent about stable OpenID sharing.

Install only if you are comfortable with an agent analyzing broad local context for personality inference and with a persistent OceanBus identity stored under ~/.lucky-lobster. Review or delete that directory to reset identity and stored state, and be aware that OpenID-based recommendation/de-duplication events may be sent to the L1 service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (19)

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The documentation asserts that profile data never leaves the device, yet the described flow sends user-derived labels, demographics, and an OpenID to an external L1 service. Even if direct identifiers are omitted, the combination of pseudonymous identifier plus demographic/personality attributes can enable tracking, linkage, or re-identification and misleads users about actual data disclosure.

Intent-Code Divergence

Low

Confidence: 82% confidence
Finding: The architecture says the output JSON includes the full local profile in the calling agent context while elsewhere claiming profile data stays local. Although this may remain on-device, exposing full profile data to the broader agent/LLM context increases internal access to sensitive attributes and creates a misleading privacy boundary for users.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The document promises explicit first-run consent before personality analysis and network transmission, but the execution flow is not enforceably bound to code-level checks. If invocation can proceed directly to fortune generation, the skill may analyze memory and transmit derived user data without valid consent, creating a meaningful privacy and compliance failure.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The manifest claims only coarse anonymous attributes are sent, yet the documented flow also includes persistent OpenID and local API credentials in communications with the OceanBus layer. Even if the identifier is pseudonymous, omitting it from the disclosure is risky because stable identifiers can support repeat correlation and materially change the privacy model users are consenting to.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The module persists OceanBus identity credentials to a predictable file in the user's home directory, which undermines the claimed anonymous/non-trackable model if the host is shared, backed up, or later inspected. Even if intended for convenience, storing long-lived agent identifiers and API keys creates a local linkage point that can be used to restore or correlate the same identity across sessions.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill metadata promises that only coarse attributes like city-level location, age band, and personality tags are sent over OceanBus, but the discovery flow transmits the user's OceanBus openid to the remote L1 service. Even if the openid is pseudonymous, it is still a stable identifier that enables tracking, correlation of activity, and violates the stated data-minimization/privacy expectations.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill advertises 'zero user input' and analysis from memory, session history, and loaded files without a clear warning or consent step. In this context, that enables covert collection and inference over sensitive user data well beyond the immediate request, which is especially risky for a personality-analysis feature.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation does not clearly warn users that anonymized profile-derived data and a persistent OpenID may be sent to an external service. Users therefore cannot make an informed decision about cross-system sharing, and the OpenID increases the risk of longitudinal tracking despite the 'anonymous' framing.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger phrase “看运势” is short, natural, and likely to appear in ordinary user conversation, which creates a realistic risk of accidental invocation. In this skill’s context, accidental activation is more dangerous because the skill performs personality analysis over local dialogue/history and may also create local state or initiate network-backed fortune workflows without a clearly intentional opt-in at the moment of trigger.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README states that first use will automatically create an OceanBus anonymous identity and write credentials to ~/.lucky-lobster/ob-credentials.json, but does not present this as an explicit consented write operation. Silent creation of credential-bearing local files can surprise users, complicate forensic review, and increase privacy/security risk if users did not understand persistence would occur.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: Broad trigger phrases like '认识我' or '了解我' can cause accidental invocation of a skill that performs sensitive personality analysis over conversation and memory context. In this privacy-heavy skill, unintended activation raises the likelihood of surprise analysis, credential creation, and outbound data flow without the user meaning to invoke it.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Credentials are written to disk automatically on first run with no user notice or consent, which is a privacy and secret-handling issue. In the context of a skill marketed as anonymous and non-trackable, silent persistence makes the behavior more dangerous because users are less likely to expect that identifiers and API keys remain on disk.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The discovery action sends the user's openid to a remote L1 service without any user-facing warning in this file. In a skill marketed as anonymous and privacy-preserving, undisclosed transmission of a stable identifier materially increases privacy risk because users may reasonably believe no identifying token is shared.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The discovery:shown action sends openid along with interaction metadata such as source and slug to the remote L1 service, enabling per-user behavioral tracking. This is more sensitive than a one-off identifier transfer because it reveals what content was shown to a specific pseudonymous user over time, which can be profiled or correlated.

Ssd 3

High

Confidence: 98% confidence
Finding: The skill explicitly instructs the agent to perform personality analysis from memory, session history, and loaded files with no new user input. That is a broad directive to harvest and repurpose sensitive contextual data, including information unrelated to the current request, making overcollection and sensitive inference very likely.

Ssd 3

High

Confidence: 97% confidence
Finding: The design notes explicitly rely on the LLM having access to the user's memory, session history, and files for analysis. In a personality-reading skill, this materially increases the danger because the feature's value proposition encourages summarization and inference over highly sensitive personal context, including emotional state and private documents.

Ssd 3

High

Confidence: 98% confidence
Finding: The local-only data list includes conversation content, names, behavioral details, emotional state, and file contents for agent analysis. Even if not transmitted externally, this is still a dangerous instruction set because it normalizes comprehensive sensitive-data harvesting and synthesis inside the agent context, where it can influence outputs or be inadvertently exposed.

Credential Access

High

Category: Privilege Escalation
Content: /** * OB Identity bootstrap — auto-register on first run, restore from disk thereafter. * Credentials stored at ~/.lucky-lobster/ob-credentials.json */ import os from "node:os"; import path from "node:path";
Confidence: 91% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: import fs from "node:fs"; const DATA_DIR = path.join(os.homedir(), ".lucky-lobster"); const CRED_FILE = path.join(DATA_DIR, "ob-credentials.json"); function ensureDir(dir) { if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
Confidence: 91% confidence
Finding: credentials.json

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal