lobstercash
Pass
Audited by Gen Agent Trust Hub on May 6, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs the
@crossmint/lobster-clitool globally via npm. It also references images and installation resources from thelobster.cashdomain. These are official vendor resources necessary for the skill's operation. - [COMMAND_EXECUTION]: The skill relies on the execution of the
lobstercashCLI to perform wallet and browser-automation tasks. All financial operations, such as creating virtual cards or funding the wallet, are protected by a human-in-the-loop (HITL) mechanism where the agent must provide an approval URL to the user and wait for confirmation. - [DATA_EXFILTRATION]: During the shopping flow, the agent collects shipping addresses and contact information to automate checkout processes. This data is used as intended to complete user-initiated purchases and is not sent to unauthorized third parties.
- [PROMPT_INJECTION]: The skill interacts with external web content during the 'purchase explore' and 'purchase run' phases. It includes explicit safeguards, instructing the agent to never invent information and to always ask the user for clarification when encountering unexpected choices on a merchant's site.
Audit Metadata