Skill Trust Decision

gougoubi-activate-and-stake-risklp

Name: gougoubi-activate-and-stake-risklp Trust Review Report
Item: gougoubi-activate-and-stake-risklp
Rating: 65
Author: ClawSafe

SKILL.md references implementation scripts that are not included in the package, creating a doc-to-code mismatch with unclear intent.

Install decision first Source: Manual upload Scanned: Apr 4, 2026

Files 5

Artifacts 1

Violations 0

Findings 2

Why this conclusion was reached

0/4 dimensions flagged

Pass

Declared vs actual capability

Declared resources and inferred behavior are broadly aligned.

Review

Hidden execution and egress

1 lower-risk artifacts were extracted and still need context.

Pass

Attack chain and severe findings

There is no explicit malicious chain in the report.

Review

Dependencies and supply chain hygiene

Dependency information is incomplete, so supply-chain confidence stays limited.

What drove the risk score up

Doc-to-code mismatch +25

SKILL.md declares 'scripts/pbft-activate-and-add-risklp.mjs' and two other scripts as Project Scripts and Script Entry Points, but none exist in the package

Missing implementation +10

No executable code included; cannot verify actual behavior of referenced scripts

Most important evidence

Medium Doc Mismatch

Referenced scripts not included in package

SKILL.md declares three script files under 'Project Scripts' and 'Script Entry Points', but the package contains zero script files. The pre-scan confirms hasScripts: false. Without the actual implementation code, the skill's true behavior cannot be verified.

SKILL.md:67

Request the full implementation scripts before installation, or verify they are available in a parent project context

Low Doc Mismatch

Undeclared network capability reference

The skill operates on blockchain proposals (proposalAddress, risk LP staking) which inherently requires network communication. This is not declared in allowed-tools or capability requirements.

SKILL.md:1

If network access is required, declare it explicitly in the skill metadata

Declared capability vs actual capability

Network Pass

Declared NONE

→

Inferred UNKNOWN

Blockchain operations would require network access, but no code is present to verify

Filesystem Pass

Declared NONE

→

Inferred UNKNOWN

SKILL.md references file operations but no scripts exist to confirm

Shell Pass

Declared NONE

→

Inferred UNKNOWN

SKILL.md mentions 'node scripts/*.mjs --dry-run' but scripts are missing

Suspicious artifacts and egress

Medium External URL

https://gougoubi.ai

clawhub.json:22

Dependencies and supply chain

There are no structured dependency warnings.

File composition

5 files · 208 lines

Markdown 4 files · 184 linesJSON 1 files · 24 lines

Files of concern · 2

SKILL.md Markdown · 112 lines

Referenced scripts not included in package · Undeclared network capability reference

clawhub.json JSON · 24 lines

https://gougoubi.ai

Other files · INSTALL.md · README.md · PUBLISH_CLAWHUB.md

Security positives

No executable code present, so no direct malicious behavior can be confirmed

No credential harvesting patterns detected (no code to analyze)

No base64 encoding, eval chains, or obfuscation observed

No sensitive file access patterns (no code to analyze)

Package metadata (clawhub.json) is internally consistent