critical
suspicious.dangerous_exec
- Location
- scripts/jules.js:17
- Finding
- Shell command execution detected (child_process).
Jules and the Lobster API headless
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A crafted task prompt or repository field could run code on the machine executing the skill, not just create a Jules API request.
Why it was flagged
The script inserts user-supplied prompt text directly into a Python heredoc instead of passing it as data. A value containing Python triple quotes can break out of the string and execute local Python code when the helper runs; the same pattern is used for title, source, and branch.
Skill content
--prompt) prompt="$2"; ... print(json.dumps('''$prompt'''))Recommendation
Do not run this helper with untrusted text until fixed. Pass values to Python through argv, stdin, or environment variables, or use a safe JSON tool such as jq; avoid embedding shell variables inside generated Python source.
What this means
If used too broadly, the agent could start or approve autonomous coding work and create pull requests in repositories you connected to Jules.
Why it was flagged
The skill exposes high-impact API actions, including approving Jules plans, sending follow-up prompts, skipping plan approval, and creating PRs. These are purpose-aligned and disclosed, but they can affect connected repositories.
Skill content
approve plans, send messages, and retrieve outputs (e.g., PR URLs) ... Fully Automated Session (No Plan Approval)
Recommendation
Use plan approval by default, require explicit user confirmation before approve-plan, no-plan-approval, or auto-PR workflows, and limit use to intended repositories.
What this means
Anyone or any process with the API key and repository authorization may be able to operate Jules sessions for the connected repositories.
Why it was flagged
The skill requires a Jules API key and delegated GitHub repository access through the Jules GitHub app. This is expected for the stated integration, but it is sensitive account authority.
Skill content
Requires JULES_API_KEY env var ... Install the Jules GitHub app ... Grant access to the specific repositories
Recommendation
Protect the API key, grant Jules access only to required repositories, rotate the key if exposed, and avoid using broad organization-wide repository permissions.
What this means
The registry may not warn users about required credentials or tools before use.
Why it was flagged
The registry metadata lacks source/homepage information and does not declare the JULES_API_KEY, curl, python3, node, or jules dependencies described in SKILL.md. The included files are visible, but the install/runtime contract is incomplete.
Skill content
Source: unknown; Homepage: none ... Required env vars: none ... Required binaries (all must exist): none
Recommendation
Update metadata to declare the API key, required curl/python3 dependencies, optional node/jules CLI dependency, and a verifiable project source or homepage.
What this means
Prompts and repository context for delegated coding tasks may be processed outside the local agent environment by Jules.
Why it was flagged
The helper sends prompts, titles, source context, and session commands to the external Jules API. This is disclosed and purpose-aligned, but users should understand that task content and repository context are handled by an external coding agent service.
Skill content
BASE="https://jules.googleapis.com/v1alpha" ... curl -sS -X POST "${BASE}/sessions"Recommendation
Do not include secrets in task prompts, use repositories appropriate for Jules access, and review provider terms and repository permissions before delegating sensitive work.