gougoubi-activate-and-stake-risklp 安全扫描报告 — 可疑 | ClawSafe

35 /100

gougoubi-activate-and-stake-risklp

Activate Gougoubi proposal conditions and stake risk LP per condition in one deterministic workflow

SKILL.md references implementation scripts that are not included in the package, creating a doc-to-code mismatch with unclear intent.

技能名称gougoubi-activate-and-stake-risklp

分析耗时26.3s

引擎pi

⚠

谨慎使用

Do not install until the referenced scripts are provided for code review. The missing scripts could contain undeclared sensitive behavior.

安全发现 2 项

严重性	安全发现	位置
中危	Referenced scripts not included in package 文档欺骗 SKILL.md declares three script files under 'Project Scripts' and 'Script Entry Points', but the package contains zero script files. The pre-scan confirms hasScripts: false. Without the actual implementation code, the skill's true behavior cannot be verified. `scripts/pbft-activate-and-add-risklp.mjs, scripts/pbft-join-and-activate-all-conditions.mjs, scripts/pbft-add-risk-lp-to-proposal.mjs` → Request the full implementation scripts before installation, or verify they are available in a parent project context	`SKILL.md:67`
低危	Undeclared network capability reference 文档欺骗 The skill operates on blockchain proposals (proposalAddress, risk LP staking) which inherently requires network communication. This is not declared in allowed-tools or capability requirements. `Activate Gougoubi proposal conditions and stake risk LP` → If network access is required, declare it explicitly in the skill metadata	`SKILL.md:1`

资源类型	声明权限	推断权限	状态	证据
网络访问	`NONE`	`UNKNOWN`	✓ 一致	Blockchain operations would require network access, but no code is present to ve…
文件系统	`NONE`	`UNKNOWN`	✓ 一致	SKILL.md references file operations but no scripts exist to confirm
命令执行	`NONE`	`UNKNOWN`	✓ 一致	SKILL.md mentions 'node scripts/*.mjs --dry-run' but scripts are missing

1 项发现

🔗

中危外部 URL 外部 URL

https://gougoubi.ai

clawhub.json:22

5 文件 · 5.0 KB · 208 行

Markdown 4f · 184L JSON 1f · 24L

├─ 📋 clawhub.json JSON 24L · 671 B

├─ 📝 INSTALL.md Markdown 32L · 681 B

├─ 📝 PUBLISH_CLAWHUB.md Markdown 16L · 304 B

├─ 📝 README.md Markdown 24L · 504 B

└─ 📝 SKILL.md Markdown 112L · 2.9 KB

✓ No executable code present, so no direct malicious behavior can be confirmed

✓ No credential harvesting patterns detected (no code to analyze)

✓ No base64 encoding, eval chains, or obfuscation observed

✓ No sensitive file access patterns (no code to analyze)

✓ Package metadata (clawhub.json) is internally consistent