ClawHub

Lobster Dev Planner

Security checks across malware telemetry and agentic risk

Overview

This skill is a legitimate development-planning assistant, but it can move into broad automatic file, GitHub, database, deployment, and notification actions with weak scoping.

Install only if you want more than a planning assistant. Use it in a sandbox or clearly scoped repository, connect least-privilege MCP accounts, use development databases, and require explicit approval before commits, pushes, SQL writes, deployments, shell commands, or external notifications.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill is presented as a planning/documentation assistant, but the later phases expand into autonomous execution: file modification, repository operations, database writes, deployment actions, and auto-commits. This creates a capability mismatch that can cause users to invoke the skill expecting low-risk planning behavior while it performs high-impact system changes through MCP tools.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill states '确认前不动手' ('do not act before confirmation'), but later sections prescribe automatic development and automatic node progression. This inconsistency can mislead users and downstream agents about when side-effecting actions are allowed, increasing the chance of unauthorized execution.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
Contradictory instructions around confirmation and automatic advancement weaken safety guarantees and create ambiguous control flow for agents. In practice, ambiguity in a tool-using skill often results in the more permissive interpretation being followed, enabling unintended file, repo, database, or deployment actions.

Vague Triggers

High
Confidence
98% confidence
Finding
The trigger conditions are extremely broad and include vague everyday requests like '我想做个东西', causing the skill to activate in situations where the user may not intend autonomous development behavior. Because the skill later performs or orchestrates high-impact actions, overbroad triggering materially increases the risk of accidental invocation and unsafe tool use.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill describes automatic tool use that can modify files, repositories, databases, deployments, and send notifications, but it does not provide prominent user-facing warnings or consent boundaries for those operations. Hidden or under-disclosed side effects are dangerous because users may provide access to tools under the assumption that the skill is only generating plans and documents.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The top-level description promises parallel development and auto-commit behavior without clearly warning that the skill may perform system-modifying actions. That omission increases the likelihood of uninformed consent and makes accidental repository changes, code generation, or infrastructure actions more likely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal