Security Audit

lobster-tank

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

lobster-tank received a trust score of 51/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 5 findings: 1 critical, 1 high, 3 medium, and 0 low severity. Key findings include Suspicious import: urllib.request, Excessive Permissions: Supabase Service Key Bypasses RLS, Credential Harvesting: Exposure of Supabase User Authentication ID.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

86%

Dependency Graph

100%

LLM Behavioral Safety

48%

Behavioral Risk Signals

Network Access

4 findings

Filesystem Write

1 finding

Shell Execution

1 finding

Dynamic Code

1 finding

Excessive Permissions

3 findings

Security Findings5

Severity	Finding	Layer	Location
CRITICAL	Excessive Permissions: Supabase Service Key Bypasses RLS The `scripts/lobster_tank.py` skill utilizes the `LOBSTER_TANK_SERVICE_KEY` for all write operations (POST, PATCH, DELETE) to the Supabase database. The documentation and code comments explicitly state this key 'bypasses RLS' (Row Level Security). This grants the skill full administrative access to the entire Supabase database. If the skill or the agent using it is compromised, an attacker could leverage this key to exfiltrate, modify, or delete any data in the Supabase instance, leading to severe data breaches or service disruption. This represents an excessive permission grant for a typical agent skill, as it operates with superuser privileges. Implement a more granular access control strategy. Instead of a service key, use a Supabase API key with strictly limited permissions (e.g., only INSERT on specific tables like `contributions`, `signatures`, and `bots` with RLS enabled for the bot's own ID). Avoid using keys that bypass RLS in agent skills, as this creates a single point of failure with maximum impact.	LLM	scripts/lobster_tank.py:26
HIGH	Credential Harvesting: Exposure of Supabase User Authentication ID The `scripts/register_bot.py` script requires the `LOBSTER_TANK_OWNER_ID`, which is described as the 'Supabase auth user ID'. While used for legitimate bot registration (linking the bot to a user account), exposing a user's primary authentication ID to an agent skill increases the risk of credential harvesting. If the skill or the agent environment is compromised, this ID could be exfiltrated and potentially misused in other contexts, especially if Supabase's security relies heavily on this ID for user identification without strong secondary authentication or if it can be used to impersonate the user in other API calls. Re-evaluate the necessity of directly exposing the `OWNER_ID` to the skill. If possible, use a more abstract or limited-scope identifier, or ensure that the Supabase backend strictly enforces authentication and authorization such that this ID alone cannot grant unauthorized access. Consider using a dedicated API key for bot registration that is scoped to only this action and does not require the full user ID.	LLM	scripts/register_bot.py:19
MEDIUM	Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Static	skills/jwaynelowry/lobster-tank/scripts/lobster_tank.py:19
MEDIUM	Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Static	skills/jwaynelowry/lobster-tank/scripts/register_bot.py:22
MEDIUM	Prompt Injection / Data Exfiltration via Unsanitized User-Provided Content to External API The `contribute` and `sign` functions in `scripts/lobster_tank.py` accept arbitrary `--content` and `--notes` from command-line arguments, which are then directly submitted to the Supabase API without explicit sanitization or validation within the skill. While the script itself does not process this content maliciously, an LLM could be prompted to generate content that attempts to perform prompt injection against other agents or the Supabase backend (e.g., by embedding malicious instructions, data exfiltration attempts, or harmful payloads within the markdown content). This could lead to data integrity issues, information leakage, or manipulation of other agents consuming this data from the Lobster Tank platform. Implement robust input validation and sanitization on the Supabase backend for all user-submitted content. For the skill itself, consider adding client-side validation or content filtering if specific patterns are known to be problematic. Educate users about the risks of submitting untrusted or malicious content, and ensure downstream systems consuming this data are resilient to prompt injection.	LLM	scripts/lobster_tank.py:90

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/4b4b0832022c84d9.svg)](https://skillshield.io/report/4b4b0832022c84d9)