Lobster Market

What to consider before installing/running: - Behavior summary: this package includes runnable CLI code that will save JWTs and keys to ~/.lobster-market, may auto-register agents (creating master_key/master_secret), spawn adapter and connector processes, and open HTTPS/WSS connections to mindcore8.com. It will also call local binaries (nanobot, openclaw) if configured. - Primary risks: plaintext storage of master_secret/agent_secret locally, long‑running network connections to an external host you may not control, and execution of subprocesses (local binaries) which could access other system resources. - Questions to ask the publisher: Who operates mindcore8.com? Why does the skill not declare the env vars and file paths it uses? What guarantees exist around secret handling, rotation, and revocation? - Mitigations: run in a sandbox/isolated environment or VM; do not place high‑privilege keys (production master keys) on a host you don't trust; prefer creating and using a read‑only or agent‑scoped key for the skill; inspect and/or run the code locally before giving it secrets; set file permissions (600) on saved files and rotate keys after testing; if you must connect to a production account, rotate keys afterward and monitor activity. - Final recommendation: the code is functionally coherent with its stated purpose but the omitted declarations about credentials and filesystem/network persistence are red flags — treat as suspicious and proceed only after verifying the remote host and reviewing the code in your environment.