Security
v1.0.5Enterprise-grade security framework for LobsterAI with audit logging, RBAC, input validation, output sanitization, code scanning, and dependency vulnerabilit...
⭐ 0· 122·0 current·0 all-time
bystoney@stoneyhoo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The files (audit logger, RBAC authorizer, input validator, output sanitizer, code and dependency scanners) match the skill name and description. The scanner components explicitly target SKILLs code and dependency files which is expected for a security framework. Minor mismatch: the registry metadata listed no required environment variables, but SKILL.md documents LOBSTERAI_HOME, LOBSTERAI_AUDIT_SECRET, LOBSTERAI_USER_ID and SKILLS_ROOT — these environment variables are reasonable for this skill but the registry omission is an inconsistency to note.
Instruction Scope
SKILL.md and the code explicitly allow scanning 'all skills' under the SKILLs directory and advise copying the security module into the SKILLS_ROOT. The scanner reads other skills' source code and dependency files (intentionally). The code and examples use subprocess calls to optional external tools (e.g., safety, pip-audit) and spawn the Python audit logger from other skill wrappers (including background launches that write PID files under /tmp in examples). These behaviors are coherent with the stated purpose but constitute broad read scope and some runtime actions that should only be enabled if you trust the package.
Install Mechanism
There is no declared install spec; the package is provided as code files and DEPLOYMENT.md instructs manual copying into SKILLS_ROOT. No external downloads/URLs or package installs are forced by the skill itself. This is lower risk than a remote installer but means files will be written into your SKILLs tree if you follow the deployment steps—review the code before copying.
Credentials
Required environment variables in SKILL.md (LOBSTERAI_HOME, SKILLS_ROOT, optional LOBSTERAI_AUDIT_SECRET, LOBSTERAI_USER_ID) are appropriate for logging and locating SKILLs. The skill will read code and dependency files across SKILLs if asked to scan 'all', which is necessary for its scanning function but grants broad read access to other skills (including any hard-coded secrets within them). No unrelated external credentials are requested.
Persistence & Privilege
The skill is not force-included (always:false) and uses normal integration patterns (importable Python package and optional wrappers). It does not request elevated platform privileges in its code. Note: autonomous invocation (disable-model-invocation:false) is the platform default — combined with the skill's ability to scan the whole SKILLs tree, this increases the impact if you allow the skill to be invoked broadly; that is expected for a security tool but worth considering before enabling automated scans.
Assessment
This package appears to implement what it claims: auditing, RBAC, input/output sanitization, code and dependency scanning. Before installing or enabling system-wide scans you should: (1) review the code (especially audit_logger, code_scanner, dependency_scanner) yourself or in a staging environment; (2) limit initial scans to specific skills (use --skill <id>) rather than --skill all; (3) set up and protect LOBSTERAI_HOME and rbac_config.json with restrictive file permissions; (4) configure LOBSTERAI_AUDIT_SECRET if you need tamper-evident logs; (5) be aware the module will read other skills' source and dependency files (potentially exposing secrets if they are hard-coded); and (6) run the module in an isolated environment first (or with limited privileges) if you are unsure of the source. The registry metadata omission of required environment variables is a minor inconsistency — prefer the SKILL.md values when configuring.Like a lobster shell, security has layers — review code before you run it.
auditvk97dwkj3tc77rjt6ysrrgc43bs837j0ncompliancevk97dwkj3tc77rjt6ysrrgc43bs837j0nlatestvk97byrcx4ns3rn9wxn93yh86dh837g8trbacvk97dwkj3tc77rjt6ysrrgc43bs837j0nscanningvk97dwkj3tc77rjt6ysrrgc43bs837j0nsecurityvk97dwkj3tc77rjt6ysrrgc43bs837j0nvalidationvk97dwkj3tc77rjt6ysrrgc43bs837j0n
License
MIT-0
Free to use, modify, and redistribute. No attribution required.