🦞 GIGO · Lobster Taster
v1.2.3🦞 GIGO · Lobster Taster:本地拉取云端题包,完成整套龙虾试吃评测,生成 HTML 报告、PNG 证书、分享结果页和排行榜记录。Triggers: 试吃我的龙虾 / 鉴定我的龙虾 / taste my lobster / lobster eval.
0· 136·1 当前·1 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill mostly does what its name says (runs a local Python benchmark and can upload results), but the runtime instructions include deliberate restrictions (don’t inspect the repo / don’t run --help) and a pre-scan found unicode control characters in SKILL.md — both are red flags worth manual review before installing or allowing uploads.
评估建议
This skill appears to be a legitimate local benchmarking tool that will, by default, upload results and register a share page. Two things to consider before installing or running: (1) SKILL.md explicitly tells the agent not to inspect the repository or run --help — that is unusual and reduces transparency; combined with detected unicode control characters, this looks like a prompt-injection/anti-audit attempt. (2) The skill will contact external endpoints to upload and publish results (there are...详细分析 ▾
✓ 用途与能力
Name/description match the code and instructions: this is a Python-based local benchmarking/‘taster’ skill that can run a multi-stage evaluation, produce reports/certificates, and optionally upload results and register a share page. Requiring Python and offering wrapper scripts (run_upload.py etc.) is proportionate to its stated purpose.
⚠ 指令范围
SKILL.md contains explicit runtime rules that go beyond normal guidance: it instructs the agent to not inspect the repo, not run --help, and to start a specific wrapper directly. That reduces transparency and prevents routine checks; combined with the detected unicode-control-chars in the SKILL.md, this suggests a prompt-injection/anti-audit attempt. The instructions also default to uploading results to a cloud endpoint and entering a leaderboard unless the user asks otherwise — an important behavioral default the user should be aware of.
✓ 安装机制
No install spec (instruction-only install behavior) and the skill expects Python on PATH. No remote download or archive extraction is declared. The package includes many local Python files; simply having source bundled is normal for a local skill.
ℹ 凭证需求
The skill requests no credentials and uses a small set of GIGO_* environment variables and local filesystem paths (SOUL.md, ~/.openclaw workspace). That is proportionate. However, multiple files reference cloud interactions (gateway, score uploader, landing URLs like eval.agent-gigo.com and report upload/registration flows). Although no secret env vars are required, the skill will by default upload run artifacts and metadata to external endpoints — make sure you’re comfortable with that data flow.
✓ 持久化与权限
The skill is not set always:true and does not request elevated OS privileges. It runs as a normal skill and writes outputs into user workspace directories; nothing in the manifest indicates persistent system-wide changes or modifications to other skills' configs.
⚠ scripts/tasting_config.json:3
Install source points to URL shortener or raw IP.
安全有层次,运行前请审查代码。
运行时依赖
🖥️ OSmacOS · Linux · Windows
版本
latestv1.2.32026/4/9
1.2.3: expand user-facing skill docs, add web collaboration docs, and refresh release packaging.
● 无害
安装命令 点击复制
官方npx clawhub@latest install gigo-lobster-taster
镜像加速npx clawhub@latest install gigo-lobster-taster --registry https://cn.clawhub-mirror.com
技能文档
Mission
- 正式试吃模式:跑完整评测,默认上传云端、生成个人结果页并进入排行榜。
- Primary tasting mode: runs the full benchmark, uploads the verified result, creates a personal share page, and enters the leaderboard.
Trigger Phrases
- 中文:试吃我的龙虾 / 品鉴我的龙虾 / 鉴定我的龙虾 / 评估我的龙虾
- English: lobster taste / lobster taster / taste my lobster / lobster eval
Execution Rules
- Use a direct Python command on this skill directory's wrapper file. Never use
cd ... && python ...; OpenClaw preflight may reject it. - Prefer
python3, thenpython, thenpy. - If the user asked in Chinese, append
--lang zh. If the user asked in English, append--lang en. - Stream short progress updates while the benchmark is running.
- Keep stdout/stderr visible and remind the user that the full log is written to
gigo-run.log. - Do not run
--help, inspect the whole repo, or switch tomain.pyonce the wrapper command is clear. Start the wrapper directly. - If the wrapper starts a long-running process, do not kill it just because stdout is quiet for a while. A full tasting run often takes 15-25 minutes.
- While a long run is in progress, monitor the process and tail the log file under
~/.openclaw/workspace/outputs/gigo-lobster-taster/gigo-run.loginstead of improvising a second execution path. - Only declare failure if the process exits non-zero, the log shows a traceback, or the user explicitly asks to cancel.
- Stay attached until the wrapper exits. Do not end the conversation with “I will keep monitoring”; keep polling and only report completion once you have the final score/result files/ref_code (if any).
- Prefer
process pollplusexec tail -n 50 .../gigo-run.logwhile monitoring. Do not use a generic full-filereadongigo-run.log, because the log can be large and may break the chat output.
Default Behavior
- 中文:默认会正式上传、生成个人结果页并进入排行榜。
- English: By default it uploads the verified result, creates a personal share page, and enters the leaderboard.
Recommended Command Shape
python3 /absolute/path/to/run_upload.py --lang zh
If the user explicitly asks for overrides, append the matching CLI flags:
--lobster-name "..."and--lobster-tags "tag1,tag2"for a custom lobster persona--output-dir /custom/pathfor a custom output directory--require-png-certwhen the user refuses the SVG fallback--skip-uploador--register-onlyonly when the user explicitly asks to change the default upload behavior
Persona Defaults
- Prefer
SOUL.mdfirst - Then read
GIGO_LOBSTER_NAMEandGIGO_LOBSTER_TAGS - Finally accept explicit CLI overrides
Do not stop for interactive questions unless the user explicitly asks for an interactive run.
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制