Skillv1.0.7

ClawScan security

Perp Lobster · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 21, 2026, 2:18 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior is consistent with a trading assistant that clones a GitHub repo and runs its scripts, but the registry metadata omits the fact that users must store private keys in a local .env and the runtime instructions allow executing repository scripts — so review before approving any setup or run commands.
Guidance: What to consider before installing/using Perp Lobster: - This skill will clone and run code from https://github.com/ThisNewMark/perplobster and asks you to run its setup.sh (which installs packages). Do not run setup.sh without reviewing its contents. - The project requires you to put a private key (HL_SECRET_KEY) into perplobster/.env on your machine. The skill states it will not ask you to paste keys into chat and will not read the .env file; however, the project scripts will access that file when they run. Use an account/subaccount with minimal funds and limited permissions. - Before approving any script execution, inspect the scripts referenced (setup.sh, scripts/trade.py, start.sh, approve_builder_fee.py). The SKILL.md recommends doing this (cat file) — follow that guidance every time. - Prefer running the code in an isolated environment (VM or container) and not on a machine with other sensitive keys or tokens. Consider creating a new wallet/subaccount specifically for bots. - Verify the GitHub repo: check commit history, contributors, and issues to confirm it is the expected project and not a typo-squatted/malicious fork. - If you want stronger safety, avoid enabling autonomous invocation for this skill (require user confirmation for all actions) and do not store high-value keys on the same host. - The registry metadata does not declare the required local .env keys; treat that as a documentation gap and do not assume the skill has no credential needs.

Review Dimensions

Purpose & Capability: noteName/description match the instructions: this is a trading assistant for Hyperliquid that clones a public GitHub repo and runs its Python scripts to trade or run bots. The only mismatch is that the registry metadata declares no required env vars/credentials, while the SKILL.md instructs the user to populate perplobster/.env with HL_ACCOUNT_ADDRESS and HL_SECRET_KEY (a private key). This is coherent for the stated purpose but the metadata omission is noteworthy.
Instruction Scope: noteSKILL.md instructs the agent to run shell commands (git clone, source a virtualenv, run python scripts, start/stop bots). It also instructs the agent to cat setup.sh and other scripts and to get explicit user approval before executing setup scripts or placing trades. That is appropriate for this purpose, but giving the agent the ability to execute arbitrary repo scripts is powerful — the skill mitigates this by requiring user confirmation and showing scripts before execution.
Install Mechanism: noteNo formal install spec in the registry, but the instructions ask to run the project's setup.sh which will create a venv and install dependencies (likely from PyPI). This is expected for installing a Python project, but it means code and packages will be downloaded and executed locally — review setup.sh and requirements before running.
Credentials: concernThe skill runtime expects a local .env containing HL_ACCOUNT_ADDRESS and HL_SECRET_KEY (private key), yet the registry metadata lists no required environment variables or primary credential. The SKILL.md explicitly forbids asking users to paste private keys into chat and forbids the agent from reading .env, which is good practice; however, the mismatch between declared metadata and instructions could lead users to overlook the sensitive local credential requirement. Also, running the provided scripts gives those scripts access to the private key on disk — that's necessary for trading but high-sensitivity and should be scoped to a limited/subaccount wallet.
Persistence & Privilege: okThe skill is not force-enabled (always:false) and is user-invocable. It does not request persistent platform privileges or attempt to modify other skills. Autonomous invocation is allowed by default but not unusual; combine that with the skill's ability to run trades only after user confirmation per SKILL.md.