gougoubi-activate-and-stake-risklp Security Report — Suspicious | ClawSafe

35 /100

gougoubi-activate-and-stake-risklp

Activate Gougoubi proposal conditions and stake risk LP per condition in one deterministic workflow

SKILL.md references implementation scripts that are not included in the package, creating a doc-to-code mismatch with unclear intent.

Skill Namegougoubi-activate-and-stake-risklp

Duration26.3s

Enginepi

⚠

Use with caution

Do not install until the referenced scripts are provided for code review. The missing scripts could contain undeclared sensitive behavior.

Findings 2 items

Severity	Finding	Location
Medium	Referenced scripts not included in package Doc Mismatch SKILL.md declares three script files under 'Project Scripts' and 'Script Entry Points', but the package contains zero script files. The pre-scan confirms hasScripts: false. Without the actual implementation code, the skill's true behavior cannot be verified. `scripts/pbft-activate-and-add-risklp.mjs, scripts/pbft-join-and-activate-all-conditions.mjs, scripts/pbft-add-risk-lp-to-proposal.mjs` → Request the full implementation scripts before installation, or verify they are available in a parent project context	`SKILL.md:67`
Low	Undeclared network capability reference Doc Mismatch The skill operates on blockchain proposals (proposalAddress, risk LP staking) which inherently requires network communication. This is not declared in allowed-tools or capability requirements. `Activate Gougoubi proposal conditions and stake risk LP` → If network access is required, declare it explicitly in the skill metadata	`SKILL.md:1`

Resource	Declared	Inferred	Status	Evidence
Network	`NONE`	`UNKNOWN`	✓ Aligned	Blockchain operations would require network access, but no code is present to ve…
Filesystem	`NONE`	`UNKNOWN`	✓ Aligned	SKILL.md references file operations but no scripts exist to confirm
Shell	`NONE`	`UNKNOWN`	✓ Aligned	SKILL.md mentions 'node scripts/*.mjs --dry-run' but scripts are missing

1 findings

🔗

Medium External URL 外部 URL

https://gougoubi.ai

clawhub.json:22

5 files · 5.0 KB · 208 lines

Markdown 4f · 184L JSON 1f · 24L

├─ 📋 clawhub.json JSON 24L · 671 B

├─ 📝 INSTALL.md Markdown 32L · 681 B

├─ 📝 PUBLISH_CLAWHUB.md Markdown 16L · 304 B

├─ 📝 README.md Markdown 24L · 504 B

└─ 📝 SKILL.md Markdown 112L · 2.9 KB

✓ No executable code present, so no direct malicious behavior can be confirmed

✓ No credential harvesting patterns detected (no code to analyze)

✓ No base64 encoding, eval chains, or obfuscation observed

✓ No sensitive file access patterns (no code to analyze)

✓ Package metadata (clawhub.json) is internally consistent