ClawHub

Lobster Market

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned for managing a marketplace, but it stores powerful account secrets locally and exposes broad local agent execution surfaces that need review before use.

Install only if you are comfortable with a skill that can manage Lobster Market accounts, wallet actions, agents, and local adapter processes. Use it in a trusted local account, protect or remove ~/.lobster-market credential files, avoid exposing adapter ports to a network, and require explicit confirmation before paid calls, publishing, reviews, key changes, or task execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (16)

Tainted flow: 'req' from os.environ.get (line 45, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
"Accept": "application/json",
    })
    try:
        with urllib.request.urlopen(req, timeout=10) as resp:
            return json.loads(resp.read().decode())
    except Exception as e:
        print(f"⚠️  API request failed: {e}")
Confidence
88% confidence
Finding
with urllib.request.urlopen(req, timeout=10) as resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill describes capabilities that include network access, shell/CLI execution, environment access, and reading/writing credential files, yet it declares no explicit permissions or safety boundaries. In a skill that manages wallets, agent identities, and persistent credentials, this creates a real risk of over-privileged execution, secret exposure, and unintended side effects without clear user consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented behavior goes beyond a conversational market-management skill and appears to include local process control, HTTP/WebSocket services, subprocess invocation of additional tools, and credential persistence. This mismatch is dangerous because users and hosting platforms may trust the skill with a lower-risk profile than its actual operational reach, enabling stealthier execution of powerful local and network actions.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The adapter exposes an unauthenticated network endpoint that accepts user-controlled input and forwards it to an external CLI agent for execution. Although subprocess arguments are passed safely without a shell, this still creates a powerful remote execution/proxy surface: any caller who can reach /execute can trigger nanobot actions with the adapter's privileges, potentially invoking downstream tools, accessing local data in the configured nanobot directory, or causing unwanted side effects.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The /execute endpoint accepts arbitrary user-supplied text and forwards it to the local openclaw CLI, effectively exposing a powerful local agent/subprocess capability over unauthenticated HTTP. Even though subprocess arguments are passed safely as a list, this still creates a remote prompt-injection and capability-exposure risk: any reachable client can drive the local OpenClaw agent to perform sensitive actions available in its environment.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The launcher retrieves execution_config from the remote API and uses it to decide which local adapters and binaries to execute, including nanobot_bin and nanobot_dir. In a skill whose stated purpose is market management, this materially expands trust from conversational management into local code/process execution, so a compromised API, malicious agent config, or poisoned cache can cause unauthorized local program execution.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The script performs process orchestration—starting, stopping, and health-checking local services for agents—rather than just market-side registration or discovery. In this skill context, that broadens the blast radius: a user expecting marketplace operations may unknowingly trigger local runtime control over multiple agent processes.

Vague Triggers

Medium
Confidence
81% confidence
Finding
Service-discovery trigger phrases such as generic search/find language are broad enough to match ordinary conversation unintentionally. In this skill's context, accidental activation can cause network queries, exposure of marketplace metadata, or unexpected workflow transitions without the user clearly intending to invoke the market-discovery function.

Vague Triggers

Medium
Confidence
85% confidence
Finding
Invocation triggers include everyday expressions like asking for help with a task, which can overlap with normal assistant dialogue. Because this skill can call external services and potentially spend wallet funds or transmit user inputs to third-party agents, ambiguous invocation creates a material risk of unintended external actions and data disclosure.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Wallet triggers like 'balance' or 'topup' are generic financial terms that may arise in unrelated discussion. In a skill connected to wallet operations, accidental intent matching could expose financial information or initiate sensitive payment-related flows that should require stronger user intent verification.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Authentication triggers include broad terms like 'login', 'API Key', and '密钥', which are highly sensitive and likely to appear in many contexts. In a skill that stores JWTs, API keys, master keys, and agent secrets, ambiguous auth activation could prompt handling, displaying, or overwriting credentials inappropriately, increasing the chance of secret leakage or account compromise.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This section documents secret-bearing flows such as `agent-register` returning `master_key` and `agent_key`, `login-by-key`, one-time login codes, and token exchange, but it provides no warning about treating these values as credentials, avoiding logs, or restricting exposure. In the context of a conversational agent-management skill, this is more dangerous because users may paste, store, or relay these secrets through chat-driven workflows, increasing the likelihood of credential leakage and account takeover.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The design explicitly stores both the Master Key and Agent Key plus their corresponding secrets in a local file. Even with mode 600, local plaintext storage of the highest-privilege credential materially increases the blast radius of malware, local compromise, backups, shell history leakage, or accidental exfiltration; the Master Key can also be used for web login and full account management.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The CLI design says that a normal service call will automatically trigger account registration when no credentials exist, which can silently create an account and persist new secrets on disk. Implicit credential creation without a clear prompt or warning is dangerous because users may unknowingly create long-lived credentials, lose track of where they were stored, or run the command in shared or automated environments.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The adapter forwards user-supplied message content directly to a third-party LLM API, which creates a real data exposure risk if users submit secrets, wallet data, or other sensitive operational content. In this skill's context—agent management, service invocation, and wallet-related workflows—the transmitted content may include financially sensitive or privileged data, making the lack of disclosure and consent more dangerous.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill stores highly sensitive long-lived credentials, including master_key, master_secret, agent_key, and agent_secret, in plaintext JSON files under the user's home directory. On multi-user systems or misconfigured environments, these files may be readable by other local users, backup tools, or malware, enabling account takeover and unauthorized API access.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal