lobster-continuous-learning-v2 Security Report — Trusted | ClawSafe

5 /100

lobster-continuous-learning-v2

Instinct-based learning system that observes sessions, creates atomic instincts with confidence scoring, and evolves them into skills/commands/agents

Legitimate continuous learning system with no malicious behavior. Observations stay local, secret scrubbing is implemented, and all shell/network operations are documented and necessary for the feature.

Skill Namelobster-continuous-learning-v2

Duration64.3s

Enginepi

✓

Safe to install

No action required. Skill is safe to use.

Findings 2 items

Severity	Finding	Location
Info	Secret Scrubbing Regex May Miss Edge Cases Sensitive Access The _SECRET_RE pattern in observe.sh may not catch all credential formats (e.g., Bearer tokens without proper spacing). However, observations stay local and no exfiltration occurs. `r"(?i)(api[_-]?key\|token\|secret\|password\|authorization\|credentials?\|auth)"` → Consider expanding regex to catch more patterns like 'Bearer ', 'ghp_', 'sk-' prefixes	`hooks/observe.sh:198`
Info	External URL Reference Doc Mismatch SKILL.md contains a reference to an external Twitter/X URL (https://x.com/affaanmustafa/status/...). This is a documentation link, not executable code. `https://x.com/affaanmustafa/status/2014040193557471352` → No action needed - this is just a documentation link	`SKILL.md:361`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`WRITE`	✓ Aligned	Write operations limited to ~/.claude/homunculus/ project storage directories
Shell	`READ`	`READ`	✓ Aligned	subprocess.run for git detection only, no arbitrary command execution
Network	`READ`	`READ`	✓ Aligned	URL fetch only for instinct import, documented in SKILL.md
Environment	`NONE`	`READ`	✓ Aligned	Reads CLAUDE_PROJECT_DIR and git-related vars for project detection

2 findings

🔗

Medium External URL 外部 URL

https://x.com/affaanmustafa/status/2014040193557471352

SKILL.md:361

📧

Info Email 邮箱地址

[email protected]

scripts/detect-project.sh:96

File Tree

10 files · 154.4 KB · 4302 lines

Python 2f · 2410L Shell 5f · 1321L Markdown 2f · 563L JSON 1f · 8L

├─ ▾ 📁 agents

│ ├─ 🔧 observer-loop.sh Shell 271L · 9.2 KB

│ ├─ 📝 observer.md Markdown 198L · 7.2 KB

│ ├─ 🔧 session-guardian.sh Shell 150L · 6.2 KB

│ └─ 🔧 start-observer.sh Shell 244L · 7.3 KB

├─ ▾ 📁 hooks

│ └─ 🔧 observe.sh Shell 428L · 15.8 KB

├─ ▾ 📁 scripts

│ ├─ 🔧 detect-project.sh Shell 228L · 7.6 KB

│ ├─ 🐍 instinct-cli.py Python 1426L · 56.4 KB

│ └─ 🐍 test_parse_instinct.py Python 984L · 32.3 KB

├─ 🔑 config.json ⚠ JSON 8L · 135 B

└─ 📝 SKILL.md Markdown 365L · 12.3 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`N/A`	pip	No	No external dependencies used - only stdlib

Security Positives

✓ Secret scrubbing implemented to redact API keys, tokens, passwords before persisting observations

✓ Git credential stripping in detect-project.sh removes embedded credentials from remote URLs

✓ Path traversal protection blocks access to system directories (/etc, /usr, /bin, etc.)

✓ Project-scoped storage isolates data between different projects

✓ Observer agent uses minimal toolset (Read, Write only) with controlled Haiku model

✓ PID validation prevents signaling invalid process IDs

✓ Atomic file writes with tempfile + os.replace prevent corruption

✓ File locking (fcntl) prevents concurrent write race conditions

✓ No base64-encoded payloads or obfuscation techniques

✓ No ~/.ssh, ~/.aws, or other sensitive path access

✓ No curl|bash or remote script execution patterns

✓ No C2 or data exfiltration - all observations stay local

✓ Session guardian prevents observer from running during automated sessions

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives