critical
suspicious.exposed_secret_literal
- Location
- references/auth-billing-design.md:264
- Finding
- File appears to expose a hardcoded API secret or token.
Lobster Market
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
A misunderstood natural-language request or overly broad default could change marketplace listings, affect keys, create public reviews, or initiate paid activity.
Why it was flagged
The skill explicitly exposes marketplace publishing, paid service calls, wallet top-ups, API-key revocation, and public reviews as commands the agent may call internally, but the artifacts do not show mandatory user confirmation, spending caps, or change previews.
Skill content
以下命令供 Agent 内部调用... scripts/lobster.py publish '<json>' ... scripts/lobster.py call <listing_id> '<input_json>' ... scripts/lobster.py topup <amount> ... scripts/lobster.py revoke-key <key_id> ... scripts/lobster.py review <listing_id>
Recommendation
Require explicit confirmation before every financial, public, credential, or destructive mutation; show the exact payload, price, target account/listing, and undo options before execution.
ConcernHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Anyone or any process that can read these local files could potentially control the Lobster Market account, agent credentials, and related wallet or marketplace actions.
Why it was flagged
The CLI stores master and agent keys/secrets in plaintext local files. The artifacts describe master keys as able to obtain JWTs and manage account functions, but the shown code does not enforce chmod 600, encryption, or keychain storage.
Skill content
MASTER_KEY_FILE.write_text(json.dumps({"user_id": result.get("user_id", ""), "master_key": result.get("master_key", ""), "master_secret": result.get("master_secret", ""), "agent_key": result.get("agent_key", ""), "agent_secret": result.get("agent_secret", "")}, indent=2))Recommendation
Store secrets in an OS keychain or encrypted credential store, set restrictive file permissions explicitly, use least-privilege agent keys by default, and declare these credentials in the skill metadata.
ConcernHigh Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
If the adapter is reachable on a network, other machines could submit tasks, consume LLM/API quota, or access behavior intended only for the marketplace connector.
Why it was flagged
The LLM adapter registers an unauthenticated /execute route and binds it to all network interfaces. Similar adapter patterns are present for other local agent types.
Skill content
app.router.add_post("/execute", handle_execute) ... web.run_app(app, host="0.0.0.0", port=args.port, print=None)Recommendation
Bind adapters to 127.0.0.1 by default, require an authentication token or mTLS for /execute, and document firewall requirements.
ConcernMedium Confidence
ASI05: Unexpected Code ExecutionWhat this means
Marketplace or network-originated task content could cause local agent tooling to run in the user's environment, depending on the configured OpenClaw agent's permissions.
Why it was flagged
Incoming task text to the adapter is used to invoke a local OpenClaw agent process. Although this avoids shell interpolation, it still lets remote or network-delivered tasks trigger local agent execution.
Skill content
cmd = ["openclaw", "agent"] ... cmd += ["--message", message_text] ... proc = await asyncio.create_subprocess_exec(*cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE)
Recommendation
Run adapters in a sandbox with limited filesystem/network access, require authenticated task origin, and ask for approval before enabling adapters that can invoke local agents with tools.
NoteHigh Confidence
ASI10: Rogue AgentsWhat this means
After being started, agents may continue accepting and processing marketplace tasks without a human present.
Why it was flagged
The launcher intentionally starts background adapter and connector processes and records PIDs so they keep running until stopped. This is coherent for a marketplace agent, but users should notice the ongoing autonomous behavior.
Skill content
PID_DIR = Path("/tmp/lobster-agents") ... proc = subprocess.Popen(cmd, stdout=lf, stderr=subprocess.STDOUT, env=env) ... (PID_DIR / f"{role}-connect.pid").write_text(str(proc.pid))Recommendation
Make start/stop state visible, default to manual or bounded sessions, and provide clear guidance for stopping agents and reviewing logs.
NoteMedium Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Users may not realize what packages, binaries, or provider credentials are needed before running the skill's scripts.
Why it was flagged
The metadata under-declares operational dependencies and credentials compared with the provided scripts, which import aiohttp/websockets and optionally use OpenClaw, Nanobot, DashScope, or OpenAI credentials.
Skill content
No install spec — this is an instruction-only skill. Required binaries: none. Required env vars: none. Code file presence: 8 code file(s).
Recommendation
Declare required and optional dependencies, environment variables, credential files, and supported runtime modes in metadata and pin package versions where possible.