lobster-says Security Report — Low Risk | ClawSafe

25 /100

lobster-says

🦞 虾说——你的专属共情虾。每天早晚给你一句关心的话

The lobster-says skill is a legitimate companion app with no malicious behavior, but SKILL.md does not fully declare all actual capabilities (filesystem:WRITE for config/log storage, transcript reading from ~/.openclaw sessions directory, shell:WRITE for cron setup).

Skill Namelobster-says

Duration75.2s

Enginepi

✓

Safe to install

Update SKILL.md to explicitly declare filesystem:WRITE (for .lobster-config, logs/), shell:WRITE (for cron registration via openclaw cron), and the transcript digest reading from ~/.openclaw/agents/main/sessions when memory_mode is smart/deep.

Findings 5 items

Severity	Finding	Location
Medium	Transcript session files read without explicit declaration digest-transcript.sh reads ~/.openclaw/agents/main/sessions/*.jsonl files to extract conversation history for smart/deep memory modes. SKILL.md's '冷启动记忆' section only declares USER.md/MEMORY.md import but does not mention openclaw session JSONL file reading. `SESSIONS_DIR="${OPENCLAW_BASE}/agents/main/sessions"` → Add a section in SKILL.md explicitly declaring that smart/deep modes read transcript data from ~/.openclaw/agents/main/sessions/	`digest-transcript.sh:79`
Medium	Config file write not declared in SKILL.md init-lobster.sh writes the access_token and user_id to .lobster-config in the skill directory. SKILL.md declares API interactions but not the local persistent storage of credentials. `json.dump(config, f, indent=2, ensure_ascii=False)` → Document that credentials are stored in {baseDir}/.lobster-config	`init-lobster.sh:293`
Low	Shell script execution not declared as capability SKILL.md declares openclaw and curl as required binaries but does not explicitly declare shell:WRITE or that the skill uses bash script execution. The openclaw.json metadata lists requires.anyBins but this is not a formal capability declaration. `metadata: {openclaw: {requires: {anyBins: [python3, python, curl, openclaw]}}}` → Add a formal 'capabilities' section or document bash as the execution model	`SKILL.md:1`
Low	Gateway token loaded from openclaw.json without explicit declaration setup-cron.sh reads gateway auth configuration from ~/.openclaw/openclaw.json to register cron jobs. This read of openclaw config is not declared in SKILL.md. `OPENCLAW_CONFIG_FILE="${OPENCLAW_CONFIG_FILE:-$HOME/.openclaw/openclaw.json}"` → Document that the skill reads openclaw configuration for cron registration purposes	`setup-cron.sh:111`
Info	openclaw sessions --json --active used for channel detection Multiple scripts call 'openclaw sessions --json --active' to detect the current IM channel for message delivery. This is a legitimate feature dependency documented as part of the initialization flow. `openclaw sessions --json --active` → No action needed — this is declared in SKILL.md initialization flow	`init-lobster.sh:82`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`WRITE`	✓ Aligned	init-lobster.sh:260 — curl -X POST to /api/lobster (write), digest-transcript.sh…
Filesystem	`READ`	`WRITE`	✗ Violation	init-lobster.sh:294 — writes .lobster-config; setup-cron.sh:318 — modifies cront…
Shell	`NONE`	`WRITE`	✗ Violation	All 6 shell scripts execute bash; setup-cron.sh registers cron via openclaw CLI
Environment	`NONE`	`READ`	✓ Aligned	Multiple scripts read HOME, OPENCLAW_PROFILE, OPENCLAW_CONFIG_FILE env vars to r…

5 findings

🔗

Medium External URL 外部 URL

https://nixiashuo.com/api/memory/ingest

SKILL.md:164

🔗

Medium External URL 外部 URL

https://nixiashuo.com/api/lobster/

SKILL.md:228

🔗

Medium External URL 外部 URL

https://nixiashuo.com/api/generate

SKILL.md:232

🔗

Medium External URL 外部 URL

https://nixiashuo.com

digest-transcript.sh:43

📧

Info Email 邮箱地址

[email protected]

README.md:139

File Tree

9 files · 100.0 KB · 2860 lines

Shell 6f · 2341L Markdown 2f · 485L JSON 1f · 34L

├─ 🔧 digest-transcript.sh Shell 323L · 12.2 KB

├─ 🔧 init-lobster.sh Shell 455L · 18.2 KB

├─ 📋 openclaw.json JSON 34L · 664 B

├─ 🔧 push-scheduled-message.sh Shell 560L · 18.9 KB

├─ 📝 README.md Markdown 201L · 7.6 KB

├─ 🔧 send-current-screenshot.sh Shell 472L · 14.5 KB

├─ 🔧 send-studio-link.sh Shell 123L · 3.5 KB

├─ 🔧 setup-cron.sh Shell 408L · 12.5 KB

└─ 📝 SKILL.md Markdown 284L · 12.0 KB

Security Positives

✓ All external network requests go to a single declared domain (nixiashuo.com) via HTTPS — no third-party data exfiltration

✓ SKILL.md explicitly documents all three external API endpoints and the Authorization: Bearer pattern

✓ Privacy mode (privacy_mode: true) is set in smart mode digest uploads, preventing raw transcript leakage

✓ No hardcoded credentials or API keys — all tokens loaded from config or environment

✓ Local screenshot files use mktemp in ~/.openclaw/media and are cleaned up after use

✓ Studio links use short-lived tokens — SKILL.md explicitly prohibits long-term token URLs

✓ No base64+bash, eval(), or other high-risk code patterns observed

✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive credential paths

✓ All shell script invocations are for legitimate companion-app features (cron, push, digest)

Scan Report

Findings 5 items

File Tree

Security Positives