Jules and the Lobster API headless
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly aligned with its Jules API purpose, but its shell helper can turn crafted task text into local Python code execution.
Review this skill before installing. It can operate Jules on connected GitHub repositories, so protect the API key and keep plan approval enabled. Most importantly, patch or avoid scripts/jules_api.sh with untrusted task text because crafted prompts can escape the JSON-escaping heredoc and execute local Python code.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted task prompt or repository field could run code on the machine executing the skill, not just create a Jules API request.
The script inserts user-supplied prompt text directly into a Python heredoc instead of passing it as data. A value containing Python triple quotes can break out of the string and execute local Python code when the helper runs; the same pattern is used for title, source, and branch.
--prompt) prompt="$2"; ... print(json.dumps('''$prompt'''))Do not run this helper with untrusted text until fixed. Pass values to Python through argv, stdin, or environment variables, or use a safe JSON tool such as jq; avoid embedding shell variables inside generated Python source.
If used too broadly, the agent could start or approve autonomous coding work and create pull requests in repositories you connected to Jules.
The skill exposes high-impact API actions, including approving Jules plans, sending follow-up prompts, skipping plan approval, and creating PRs. These are purpose-aligned and disclosed, but they can affect connected repositories.
approve plans, send messages, and retrieve outputs (e.g., PR URLs) ... Fully Automated Session (No Plan Approval)
Use plan approval by default, require explicit user confirmation before approve-plan, no-plan-approval, or auto-PR workflows, and limit use to intended repositories.
Anyone or any process with the API key and repository authorization may be able to operate Jules sessions for the connected repositories.
The skill requires a Jules API key and delegated GitHub repository access through the Jules GitHub app. This is expected for the stated integration, but it is sensitive account authority.
Requires JULES_API_KEY env var ... Install the Jules GitHub app ... Grant access to the specific repositories
Protect the API key, grant Jules access only to required repositories, rotate the key if exposed, and avoid using broad organization-wide repository permissions.
The registry may not warn users about required credentials or tools before use.
The registry metadata lacks source/homepage information and does not declare the JULES_API_KEY, curl, python3, node, or jules dependencies described in SKILL.md. The included files are visible, but the install/runtime contract is incomplete.
Source: unknown; Homepage: none ... Required env vars: none ... Required binaries (all must exist): none
Update metadata to declare the API key, required curl/python3 dependencies, optional node/jules CLI dependency, and a verifiable project source or homepage.
Prompts and repository context for delegated coding tasks may be processed outside the local agent environment by Jules.
The helper sends prompts, titles, source context, and session commands to the external Jules API. This is disclosed and purpose-aligned, but users should understand that task content and repository context are handled by an external coding agent service.
BASE="https://jules.googleapis.com/v1alpha" ... curl -sS -X POST "${BASE}/sessions"Do not include secrets in task prompts, use repositories appropriate for Jules access, and review provider terms and repository permissions before delegating sensitive work.