Lobster Market
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill is coherently aimed at managing a marketplace, but it stores powerful local credentials and can run persistent, unauthenticated agent endpoints that perform account, wallet, publishing, and task-execution actions with unclear approval boundaries.
Install or run this only if you are comfortable giving it control over Lobster Market account, wallet, agent publishing, and task execution workflows. Before use, restrict local credential files, avoid running adapters on public networks, bind services to localhost, review every financial or public action, and stop the background agents when not needed.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A misunderstood natural-language request or overly broad default could change marketplace listings, affect keys, create public reviews, or initiate paid activity.
The skill explicitly exposes marketplace publishing, paid service calls, wallet top-ups, API-key revocation, and public reviews as commands the agent may call internally, but the artifacts do not show mandatory user confirmation, spending caps, or change previews.
以下命令供 Agent 内部调用... scripts/lobster.py publish '<json>' ... scripts/lobster.py call <listing_id> '<input_json>' ... scripts/lobster.py topup <amount> ... scripts/lobster.py revoke-key <key_id> ... scripts/lobster.py review <listing_id>
Require explicit confirmation before every financial, public, credential, or destructive mutation; show the exact payload, price, target account/listing, and undo options before execution.
Anyone or any process that can read these local files could potentially control the Lobster Market account, agent credentials, and related wallet or marketplace actions.
The CLI stores master and agent keys/secrets in plaintext local files. The artifacts describe master keys as able to obtain JWTs and manage account functions, but the shown code does not enforce chmod 600, encryption, or keychain storage.
MASTER_KEY_FILE.write_text(json.dumps({"user_id": result.get("user_id", ""), "master_key": result.get("master_key", ""), "master_secret": result.get("master_secret", ""), "agent_key": result.get("agent_key", ""), "agent_secret": result.get("agent_secret", "")}, indent=2))Store secrets in an OS keychain or encrypted credential store, set restrictive file permissions explicitly, use least-privilege agent keys by default, and declare these credentials in the skill metadata.
If the adapter is reachable on a network, other machines could submit tasks, consume LLM/API quota, or access behavior intended only for the marketplace connector.
The LLM adapter registers an unauthenticated /execute route and binds it to all network interfaces. Similar adapter patterns are present for other local agent types.
app.router.add_post("/execute", handle_execute) ... web.run_app(app, host="0.0.0.0", port=args.port, print=None)Bind adapters to 127.0.0.1 by default, require an authentication token or mTLS for /execute, and document firewall requirements.
Marketplace or network-originated task content could cause local agent tooling to run in the user's environment, depending on the configured OpenClaw agent's permissions.
Incoming task text to the adapter is used to invoke a local OpenClaw agent process. Although this avoids shell interpolation, it still lets remote or network-delivered tasks trigger local agent execution.
cmd = ["openclaw", "agent"] ... cmd += ["--message", message_text] ... proc = await asyncio.create_subprocess_exec(*cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE)
Run adapters in a sandbox with limited filesystem/network access, require authenticated task origin, and ask for approval before enabling adapters that can invoke local agents with tools.
After being started, agents may continue accepting and processing marketplace tasks without a human present.
The launcher intentionally starts background adapter and connector processes and records PIDs so they keep running until stopped. This is coherent for a marketplace agent, but users should notice the ongoing autonomous behavior.
PID_DIR = Path("/tmp/lobster-agents") ... proc = subprocess.Popen(cmd, stdout=lf, stderr=subprocess.STDOUT, env=env) ... (PID_DIR / f"{role}-connect.pid").write_text(str(proc.pid))Make start/stop state visible, default to manual or bounded sessions, and provide clear guidance for stopping agents and reviewing logs.
Users may not realize what packages, binaries, or provider credentials are needed before running the skill's scripts.
The metadata under-declares operational dependencies and credentials compared with the provided scripts, which import aiohttp/websockets and optionally use OpenClaw, Nanobot, DashScope, or OpenAI credentials.
No install spec — this is an instruction-only skill. Required binaries: none. Required env vars: none. Code file presence: 8 code file(s).
Declare required and optional dependencies, environment variables, credential files, and supported runtime modes in metadata and pin package versions where possible.