lobster-says 安全扫描报告 — 低风险 | ClawSafe

25 /100

lobster-says

🦞 虾说——你的专属共情虾。每天早晚给你一句关心的话

The lobster-says skill is a legitimate companion app with no malicious behavior, but SKILL.md does not fully declare all actual capabilities (filesystem:WRITE for config/log storage, transcript reading from ~/.openclaw sessions directory, shell:WRITE for cron setup).

技能名称lobster-says

分析耗时75.2s

引擎pi

✓

可以安装

Update SKILL.md to explicitly declare filesystem:WRITE (for .lobster-config, logs/), shell:WRITE (for cron registration via openclaw cron), and the transcript digest reading from ~/.openclaw/agents/main/sessions when memory_mode is smart/deep.

安全发现 5 项

严重性	安全发现	位置
中危	Transcript session files read without explicit declaration digest-transcript.sh reads ~/.openclaw/agents/main/sessions/*.jsonl files to extract conversation history for smart/deep memory modes. SKILL.md's '冷启动记忆' section only declares USER.md/MEMORY.md import but does not mention openclaw session JSONL file reading. `SESSIONS_DIR="${OPENCLAW_BASE}/agents/main/sessions"` → Add a section in SKILL.md explicitly declaring that smart/deep modes read transcript data from ~/.openclaw/agents/main/sessions/	`digest-transcript.sh:79`
中危	Config file write not declared in SKILL.md init-lobster.sh writes the access_token and user_id to .lobster-config in the skill directory. SKILL.md declares API interactions but not the local persistent storage of credentials. `json.dump(config, f, indent=2, ensure_ascii=False)` → Document that credentials are stored in {baseDir}/.lobster-config	`init-lobster.sh:293`
低危	Shell script execution not declared as capability SKILL.md declares openclaw and curl as required binaries but does not explicitly declare shell:WRITE or that the skill uses bash script execution. The openclaw.json metadata lists requires.anyBins but this is not a formal capability declaration. `metadata: {openclaw: {requires: {anyBins: [python3, python, curl, openclaw]}}}` → Add a formal 'capabilities' section or document bash as the execution model	`SKILL.md:1`
低危	Gateway token loaded from openclaw.json without explicit declaration setup-cron.sh reads gateway auth configuration from ~/.openclaw/openclaw.json to register cron jobs. This read of openclaw config is not declared in SKILL.md. `OPENCLAW_CONFIG_FILE="${OPENCLAW_CONFIG_FILE:-$HOME/.openclaw/openclaw.json}"` → Document that the skill reads openclaw configuration for cron registration purposes	`setup-cron.sh:111`
提示	openclaw sessions --json --active used for channel detection Multiple scripts call 'openclaw sessions --json --active' to detect the current IM channel for message delivery. This is a legitimate feature dependency documented as part of the initialization flow. `openclaw sessions --json --active` → No action needed — this is declared in SKILL.md initialization flow	`init-lobster.sh:82`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`WRITE`	✓ 一致	init-lobster.sh:260 — curl -X POST to /api/lobster (write), digest-transcript.sh…
文件系统	`READ`	`WRITE`	✗ 越权	init-lobster.sh:294 — writes .lobster-config; setup-cron.sh:318 — modifies cront…
命令执行	`NONE`	`WRITE`	✗ 越权	All 6 shell scripts execute bash; setup-cron.sh registers cron via openclaw CLI
环境变量	`NONE`	`READ`	✓ 一致	Multiple scripts read HOME, OPENCLAW_PROFILE, OPENCLAW_CONFIG_FILE env vars to r…

5 项发现

🔗

中危外部 URL 外部 URL

https://nixiashuo.com/api/memory/ingest

SKILL.md:164

🔗

中危外部 URL 外部 URL

https://nixiashuo.com/api/lobster/

SKILL.md:228

🔗

中危外部 URL 外部 URL

https://nixiashuo.com/api/generate

SKILL.md:232

🔗

中危外部 URL 外部 URL

https://nixiashuo.com

digest-transcript.sh:43

📧

提示邮箱邮箱地址

[email protected]

README.md:139

目录结构

9 文件 · 100.0 KB · 2860 行

Shell 6f · 2341L Markdown 2f · 485L JSON 1f · 34L

├─ 🔧 digest-transcript.sh Shell 323L · 12.2 KB

├─ 🔧 init-lobster.sh Shell 455L · 18.2 KB

├─ 📋 openclaw.json JSON 34L · 664 B

├─ 🔧 push-scheduled-message.sh Shell 560L · 18.9 KB

├─ 📝 README.md Markdown 201L · 7.6 KB

├─ 🔧 send-current-screenshot.sh Shell 472L · 14.5 KB

├─ 🔧 send-studio-link.sh Shell 123L · 3.5 KB

├─ 🔧 setup-cron.sh Shell 408L · 12.5 KB

└─ 📝 SKILL.md Markdown 284L · 12.0 KB

安全亮点

✓ All external network requests go to a single declared domain (nixiashuo.com) via HTTPS — no third-party data exfiltration

✓ SKILL.md explicitly documents all three external API endpoints and the Authorization: Bearer pattern

✓ Privacy mode (privacy_mode: true) is set in smart mode digest uploads, preventing raw transcript leakage

✓ No hardcoded credentials or API keys — all tokens loaded from config or environment

✓ Local screenshot files use mktemp in ~/.openclaw/media and are cleaned up after use

✓ Studio links use short-lived tokens — SKILL.md explicitly prohibits long-term token URLs

✓ No base64+bash, eval(), or other high-risk code patterns observed

✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive credential paths

✓ All shell script invocations are for legitimate companion-app features (cron, push, digest)