安全决策报告

gougoubi-activate-and-stake-risklp

Name: gougoubi-activate-and-stake-risklp 可信度判断报告
Item: gougoubi-activate-and-stake-risklp
Rating: 65
Author: ClawSafe

SKILL.md references implementation scripts that are not included in the package, creating a doc-to-code mismatch with unclear intent.

安装决策优先来源: 手动上传扫描时间: 2026/4/4

文件 5

IOC 1

越权项 0

发现 2

为什么得出这个结论

0/4 个维度触发

通过

声明与实际能力

声明资源与推断能力基本一致。

复核

隐藏执行与外联

提取到 1 个一般风险产物，需要结合上下文判断。

通过

攻击链与高危发现

没有形成明确的恶意路径。

复核

依赖与供应链卫生

没有完整依赖信息，供应链判断需要保留弹性。

风险分是怎么被拉高的

Doc-to-code mismatch +25

SKILL.md declares 'scripts/pbft-activate-and-add-risklp.mjs' and two other scripts as Project Scripts and Script Entry Points, but none exist in the package

Missing implementation +10

No executable code included; cannot verify actual behavior of referenced scripts

最关键的证据

中危文档欺骗

Referenced scripts not included in package

SKILL.md declares three script files under 'Project Scripts' and 'Script Entry Points', but the package contains zero script files. The pre-scan confirms hasScripts: false. Without the actual implementation code, the skill's true behavior cannot be verified.

SKILL.md:67

Request the full implementation scripts before installation, or verify they are available in a parent project context

低危文档欺骗

Undeclared network capability reference

The skill operates on blockchain proposals (proposalAddress, risk LP staking) which inherently requires network communication. This is not declared in allowed-tools or capability requirements.

SKILL.md:1

If network access is required, declare it explicitly in the skill metadata

声明能力 vs 实际能力

网络访问 通过

声明 NONE

→

推断 UNKNOWN

Blockchain operations would require network access, but no code is present to verify

文件系统 通过

声明 NONE

→

推断 UNKNOWN

SKILL.md references file operations but no scripts exist to confirm

命令执行 通过

声明 NONE

→

推断 UNKNOWN

SKILL.md mentions 'node scripts/*.mjs --dry-run' but scripts are missing

可疑产物与外联

中危外部 URL

https://gougoubi.ai

clawhub.json:22

依赖与供应链

没有结构化依赖告警。

文件构成

5 个文件 · 208 行

Markdown 4 个文件 · 184 行JSON 1 个文件 · 24 行

需关注文件 · 2

SKILL.md Markdown · 112 行

Referenced scripts not included in package · Undeclared network capability reference

clawhub.json JSON · 24 行

https://gougoubi.ai

其他文件 · INSTALL.md · README.md · PUBLISH_CLAWHUB.md

安全亮点

No executable code present, so no direct malicious behavior can be confirmed

No credential harvesting patterns detected (no code to analyze)

No base64 encoding, eval chains, or obfuscation observed

No sensitive file access patterns (no code to analyze)

Package metadata (clawhub.json) is internally consistent