Jules and the Lobster API headless
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: jules-and-lobster Version: 1.0.5 The skill bundle is classified as **benign**. The `SKILL.md` provides clear, transparent instructions for interacting with the Jules REST API, including explicit security best practices such as treating `JULES_API_KEY` as a secret and recommending plan approval for sessions. It contains no prompt injection attempts or hidden malicious instructions. The `scripts/jules_api.sh` script securely handles user input by using `python3 -c 'import json; print(json.dumps(var))'` to escape all dynamic strings before embedding them into JSON payloads for `curl -d`, effectively preventing shell injection vulnerabilities. All network calls are directed to the legitimate `https://jules.googleapis.com` domain. Similarly, `scripts/jules.js` uses `node:child_process.spawnSync` with an array of arguments, which is the secure method to execute external commands and prevents command injection. There is no evidence of intentional harmful behavior, data exfiltration, persistence, or unauthorized actions across any of the analyzed files.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted task prompt or repository field could run code on the machine executing the skill, not just create a Jules API request.
The script inserts user-supplied prompt text directly into a Python heredoc instead of passing it as data. A value containing Python triple quotes can break out of the string and execute local Python code when the helper runs; the same pattern is used for title, source, and branch.
--prompt) prompt="$2"; ... print(json.dumps('''$prompt'''))Do not run this helper with untrusted text until fixed. Pass values to Python through argv, stdin, or environment variables, or use a safe JSON tool such as jq; avoid embedding shell variables inside generated Python source.
If used too broadly, the agent could start or approve autonomous coding work and create pull requests in repositories you connected to Jules.
The skill exposes high-impact API actions, including approving Jules plans, sending follow-up prompts, skipping plan approval, and creating PRs. These are purpose-aligned and disclosed, but they can affect connected repositories.
approve plans, send messages, and retrieve outputs (e.g., PR URLs) ... Fully Automated Session (No Plan Approval)
Use plan approval by default, require explicit user confirmation before approve-plan, no-plan-approval, or auto-PR workflows, and limit use to intended repositories.
Anyone or any process with the API key and repository authorization may be able to operate Jules sessions for the connected repositories.
The skill requires a Jules API key and delegated GitHub repository access through the Jules GitHub app. This is expected for the stated integration, but it is sensitive account authority.
Requires JULES_API_KEY env var ... Install the Jules GitHub app ... Grant access to the specific repositories
Protect the API key, grant Jules access only to required repositories, rotate the key if exposed, and avoid using broad organization-wide repository permissions.
The registry may not warn users about required credentials or tools before use.
The registry metadata lacks source/homepage information and does not declare the JULES_API_KEY, curl, python3, node, or jules dependencies described in SKILL.md. The included files are visible, but the install/runtime contract is incomplete.
Source: unknown; Homepage: none ... Required env vars: none ... Required binaries (all must exist): none
Update metadata to declare the API key, required curl/python3 dependencies, optional node/jules CLI dependency, and a verifiable project source or homepage.
Prompts and repository context for delegated coding tasks may be processed outside the local agent environment by Jules.
The helper sends prompts, titles, source context, and session commands to the external Jules API. This is disclosed and purpose-aligned, but users should understand that task content and repository context are handled by an external coding agent service.
BASE="https://jules.googleapis.com/v1alpha" ... curl -sS -X POST "${BASE}/sessions"Do not include secrets in task prompts, use repositories appropriate for Jules access, and review provider terms and repository permissions before delegating sensitive work.