lobsterops Security Report — Trusted | ClawSafe

0 /100

lobsterops

AI Agent Observability & Debug Console - flight recorder and debug console for autonomous AI systems

LobsterOps is a legitimate AI agent observability tool with no malicious behavior. All capabilities are declared, PII filtering is implemented, and local storage is the default.

Skill Namelobsterops

Duration43.6s

Enginepi

✓

Safe to install

This skill is safe to use. The local storage backends (JSON, SQLite) ensure data stays on-device by default. If using Supabase, ensure proper credential management.

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	JsonFileStorage.js and SQLiteStorage.js write to configurable directories, decla…
Network	`READ`	`READ`	✓ Aligned	SupabaseStorage.js connects to Supabase only when explicitly configured
Database	`WRITE`	`WRITE`	✓ Aligned	SQLiteStorage.js and SupabaseStorage.js write to local/cloud databases
Shell	`NONE`	`NONE`	—	No subprocess or shell execution found
Environment	`NONE`	`NONE`	—	No environment variable iteration or credential harvesting

15 findings

🔗

Medium External URL 外部 URL

https://img.shields.io/npm/v/lobsterops.svg

README.md:6

🔗

Medium External URL 外部 URL

https://www.npmjs.com/package/lobsterops

README.md:6

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/License-MIT-yellow.svg

README.md:7

🔗

Medium External URL 外部 URL

https://opensource.org/licenses/MIT

README.md:7

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/built%20by-an%20AI%20agent-e8263a

README.md:8

🔗

Medium External URL 外部 URL

https://x.com/lobsteractual

README.md:8

🔗

Medium External URL 外部 URL

https://lobsterops.dev

README.md:10

🔗

Medium External URL 外部 URL

https://lobsterops.dev/demo

README.md:10

🔗

Medium External URL 外部 URL

https://replit.com/badge/github/noeldelisle/LobsterOps

README.md:43

🔗

Medium External URL 外部 URL

https://replit.com/new/github/noeldelisle/LobsterOps

README.md:43

🔗

Medium External URL 外部 URL

https://openclaw.ai

README.md:242

🔗

Medium External URL 外部 URL

https://claude.ai/code

README.md:370

🔗

Medium External URL 外部 URL

https://x.com/noeldelisle

README.md:370

🔗

Medium External URL 外部 URL

https://your-project.supabase.co

SKILL.md:76

📧

Info Email 邮箱地址

[email protected]

tests/LobsterOps.test.js:503

File Tree

21 files · 159.8 KB · 5256 lines

JavaScript 17f · 4681L Markdown 3f · 542L JSON 1f · 33L

├─ ▾ 📁 src

│ ├─ ▾ 📁 core

│ │ ├─ 📜 AlertManager.js JavaScript 252L · 6.7 KB

│ │ ├─ 📜 Analytics.js JavaScript 229L · 6.9 KB

│ │ ├─ 📜 DebugConsole.js JavaScript 268L · 6.8 KB

│ │ ├─ 📜 Exporter.js JavaScript 151L · 4.4 KB

│ │ ├─ 📜 LobsterOps.js JavaScript 501L · 13.7 KB

│ │ ├─ 📜 OpenClawInstrumentation.js JavaScript 225L · 7.2 KB

│ │ └─ 📜 PIIFilter.js JavaScript 79L · 2.3 KB

│ └─ ▾ 📁 storage

│ ├─ 📜 JsonFileStorage.js JavaScript 415L · 12.8 KB

│ ├─ 📜 MemoryStorage.js JavaScript 252L · 7.3 KB

│ ├─ 📜 SQLiteStorage.js JavaScript 487L · 14.2 KB

│ ├─ 📜 StorageAdapter.js JavaScript 88L · 2.6 KB

│ ├─ 📜 StorageFactory.js JavaScript 73L · 2.5 KB

│ └─ 📜 SupabaseStorage.js JavaScript 471L · 13.9 KB

├─ ▾ 📁 tests

│ └─ 📜 LobsterOps.test.js JavaScript 967L · 32.0 KB

├─ 📝 CONTRIBUTING.md Markdown 72L · 2.3 KB

├─ 📜 example.js JavaScript 191L · 6.9 KB

├─ 📜 index.js JavaScript 27L · 985 B

├─ 📜 jest.config.js JavaScript 5L · 89 B

├─ 📋 package.json JSON 33L · 888 B

├─ 📝 README.md Markdown 374L · 11.8 KB

└─ 📝 SKILL.md Markdown 96L · 3.7 KB

Dependencies 5 items

Package	Version	Source	Known Vulns	Notes
`@supabase/supabase-js`	`^2.99.2`	npm	No	Used only when Supabase backend is explicitly configured
`express`	`^4.22.1`	npm	No	Not used in core skill code
`uuid`	`^9.0.1`	npm	No	Standard UUID generation
`sqlite3`	`^6.0.1`	npm	No	Optional SQLite backend
`jest`	`^29.7.0`	npm	No	Dev dependency only

Security Positives

✓ PII filtering implemented for emails, phone numbers, SSNs, credit cards, IP addresses, and API keys

✓ Local storage by default (JSON files, SQLite) - no data leaves device unless Supabase configured

✓ Supabase requires explicit URL and key configuration - no auto-discovery of credentials

✓ Retention policies automatically clean up old data based on configurable age limits

✓ No shell execution, subprocess, or system command calls

✓ No credential harvesting from environment variables or sensitive paths (~/.ssh, ~/.aws, .env)

✓ No base64 encoding, eval(), or suspicious patterns (curl|bash, wget|sh)

✓ OpenClawInstrumentation provides hooks for agent event capture but is read-only

✓ Well-documented SKILL.md with clear security and guardrails section

✓ Clear separation of storage backends with user-controlled configuration

Scan Report

File Tree

Dependencies 5 items

Security Positives