Lobster Continuous Learning V2

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-built for local continuous learning, but it broadly records Claude Code activity and can run a background process that writes learned behavior without per-action review.

Install only if you intentionally want Claude Code activity recorded locally for learning. Keep observer.enabled false unless you accept background Claude usage and automatic instinct-file writes, avoid sensitive repositories, narrow hook matchers where possible, and regularly review or delete ~/.claude/homunculus observations, registries, logs, and generated instincts before exporting or promoting them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The observer is not limited to passive monitoring: it explicitly instructs the LLM to create or update files under INSTINCTS_DIR based on project observations, then archives the source observations. That gives an autonomous model a persistent write path into the project state without human review, which can lead to integrity issues, prompt-driven poisoning, or propagation of unsafe instructions into future runs.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The prompt explicitly tells the LLM to use the Write tool directly, forbids asking for confirmation, and authorizes updates to instinct files whenever a pattern threshold is met. Because the model is analyzing potentially adversarial session data, this creates a classic prompt/data-injection path where untrusted content can influence persistent writes to disk.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: The import command fetches arbitrary URLs without origin restrictions, integrity checks, or clear trust boundaries, then stores the fetched content as instincts that can later shape agent behavior. In this skill context, remote content is effectively configuration/training input, so accepting it from arbitrary network locations increases supply-chain and prompt-injection risk.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The code collects and persists repository roots and remote URLs into a registry, creating a durable inventory of local projects and associated remotes. That exceeds the minimally necessary data for project scoping and increases privacy and reconnaissance exposure if the local homunculus directory is accessed by another process or user.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The projects command enumerates all known projects and prints roots, remotes, and observation counts, which creates an easy cross-project discovery surface. In a continuous-learning skill, exposing this inventory is more dangerous because it centralizes metadata across repositories and may reveal sensitive client, internal, or private repository information.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs users to install PreToolUse/PostToolUse hooks that capture prompts and tool-use data, but the warning about local observation appears later and is not presented as an upfront consent notice at the point of activation. Because hooks fire on every tool call, this enables broad session surveillance with a meaningful privacy risk even if data stays local.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The workflow performs automated creation and updating of files without any user-facing confirmation, despite operating on inferred patterns from session observations. In a continuous-learning skill, this makes the behavior more dangerous because mistakes or poisoned observations can silently persist into future automation and influence subsequent agent behavior.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill explicitly reads session observation logs and persists derived instincts, but it does not present any user-facing consent, retention, or privacy controls in the agent behavior. Because observations may include tool inputs/outputs, commands, filenames, and project identifiers, this creates a real privacy and data-governance risk even if the feature is intended for benign learning.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The hook persistently records tool inputs and outputs to project files, which can include prompts, command arguments, file contents, tokens, or other sensitive user data. The regex-based scrubbing is partial and likely misses many secret formats, so sensitive material may be retained on disk across sessions.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The file’s purpose and implementation intentionally accumulate session/tool data over time for learning, which increases exposure from any missed redaction, local compromise, or accidental sharing of the storage directory. In a hook context, users may not expect all tool I/O to be persistently captured, making the privacy risk more significant.

VirusTotal

No VirusTotal findings

View on VirusTotal