Is joeproai/pixel-lobster safe?

https://github.com/openclaw/skills/tree/main/skills/joeproai/pixel-lobster

64
CAUTION

Pixel Lobster is an Electron desktop overlay that presents significant security concerns primarily through its renderer permission architecture: main.js unconditionally auto-approves all permission requests and pre-configures silent full-screen + system audio capture, eliminating all user consent mechanisms. The primary renderer lobster.html was not captured by the audit scanner, leaving the highest-risk surface uninspected. The skill's stated functionality is plausible and no active exfiltration was detected during the sandboxed install, but the permission setup is architecturally indistinguishable from a surveillance tool.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 35/100 · 20%
Clone Behavior 87/100 · 10%
Canary Integrity 80/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (7)

HIGH Auto-approval of all Electron permissions -30

main.js registers a permissionRequestHandler that unconditionally calls callback(true) for every permission request type. Any renderer code can obtain camera, microphone, geolocation, notifications, and other sensitive permissions without the user seeing any dialog or being able to deny the request.

HIGH Silent screen capture and system audio loopback pre-configured -35

main.js pre-configures the display media handler to automatically select the primary screen video source and enable system audio loopback capture. Any call to navigator.mediaDevices.getDisplayMedia() from the renderer will silently receive a full-screen recording with all system audio, bypassing the OS/Electron source-picker dialog entirely.

HIGH Primary renderer (lobster.html) not captured by audit scanner -30

The audit file scanner collects .md, .js, .json, .sh and other extensions but excludes .html. lobster.html is the main Electron renderer that inherits all auto-approved permissions including screen+audio capture. Its JavaScript content is completely uninspected. This is the highest-risk surface area in the skill.

MEDIUM Configurable TTS URL enables external data channel -20

The ttsUrl parameter is read from config.json and can be set to any external host. The renderer polls this URL every 45ms (ttsPollActiveMs) when active. A modified config or a social-engineering attack that changes this value could turn the polling loop into a high-frequency exfiltration channel to an attacker-controlled server.

MEDIUM Transparent always-on-top overlay with silent screen recording capability -25

The window is configured as alwaysOnTop, frame: false, transparent: true — an invisible overlay covering the entire display. Combined with the auto-approved screen+audio capture, this creates infrastructure for a surveillance tool. A malicious update to lobster.html could silently record user activity while appearing to be a harmless desktop pet.

LOW Install-time network traffic limited to GitHub -5

The only external connection during install was to 140.82.121.3:443 (GitHub.com) for the git clone. No unexpected DNS queries, no connections to third-party package registries beyond what npm would normally contact, no exfiltration attempts during clone phase.

INFO Canary files opened but not modified -5

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened and read twice during the audit window. Timing analysis confirms both accesses were from the audit monitoring infrastructure (pre-clone baseline read and post-analysis integrity verification), not from the skill. Content integrity confirmed intact.