Jules and the Lobster API headless

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a disclosed Jules API helper, but its shell wrapper can execute local Python code from crafted prompt/title/source/branch input.

Review before installing or using this version. Use plan approval and narrow Jules/GitHub repository access, keep JULES_API_KEY protected, and avoid passing untrusted task text into scripts/jules_api.sh until the JSON escaping is fixed to pass values as data rather than interpolating them into Python code.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 86% confidence
Finding: The skill is presented as a REST API wrapper using curl, but it also documents a separate Node/Jules CLI path with capabilities not covered in the core description. That mismatch can cause operators to trust the skill under a narrower threat model than its actual behavior, increasing the chance of unintended local command execution or data access through the CLI toolchain.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: Advertising a curl-only REST skill while also declaring Node and a local Jules CLI wrapper broadens the operational surface beyond what users may expect. This is dangerous because local CLIs can inherit additional credentials, config, or filesystem access that differ from a constrained REST-only interaction model.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal