Skill Trust Decision
gougoubi-claim-all-rewards
SKILL.md declares script entry points that do not exist in the package, creating a critical doc-to-code mismatch where the skill advertises functionality but has no actual implementation code.
Most direct threat evidence
High Doc Mismatch
Missing implementation scripts SKILL.md declares three script entry points (scripts/pbft-claim-rewards-profile-method.mjs, scripts/pbft-claim-rewards-quick.mjs, scripts/pbft-claim-three-address-rewards.mjs) but these files do not exist in the package. Pre-scan confirms hasScripts: false.
SKILL.md:71 Why this conclusion was reached
1/4 dimensions flagged Pass
Declared vs actual capability
Declared resources and inferred behavior are broadly aligned.
Review
Hidden execution and egress
1 lower-risk artifacts were extracted and still need context.
Block
Attack chain and severe findings
The report includes 0 attack-chain steps and 1 severe findings.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
What drove the risk score up
Missing implementation code +25
SKILL.md references 3 scripts (scripts/pbft-claim-rewards-*.mjs) but pre-scan confirms hasScripts: false
Doc-to-code mismatch +15
Script entry points documented in SKILL.md do not exist; skill would fail at execution
External references to unverified domain +5
Points to gougoubi.ai and github.com/gougoubi/gougoubi with no code verification possible
Most important evidence
High Doc Mismatch
Missing implementation scripts
SKILL.md declares three script entry points (scripts/pbft-claim-rewards-profile-method.mjs, scripts/pbft-claim-rewards-quick.mjs, scripts/pbft-claim-three-address-rewards.mjs) but these files do not exist in the package. Pre-scan confirms hasScripts: false.
SKILL.md:71 Either provide the actual script files or remove the 'Project Scripts' and 'Script Entry Points' sections from SKILL.md. A skill that cannot execute is not useful and may indicate an incomplete or malicious upload.
Medium Doc Mismatch
Execution instructions for non-existent files
INSTALL.md and README.md provide commands to run the claimed scripts, but these scripts are not included in the package.
INSTALL.md:24 Remove or update installation verification commands to match actual package contents.
Declared capability vs actual capability
Filesystem Pass
Declared NONE
→ Inferred NONE
No scripts exist to analyze; declared filesystem access in SKILL.md cannot be verified Network Pass
Declared NONE
→ Inferred NONE
No scripts exist to analyze network behavior Shell Pass
Declared NONE
→ Inferred NONE
SKILL.md mentions 'node scripts/...' but scripts absent Environment Pass
Declared NONE
→ Inferred NONE
No code to analyze Skill Invoke Pass
Declared NONE
→ Inferred NONE
No code to analyze Suspicious artifacts and egress
Medium External URL
https://gougoubi.ai clawhub.json:22
Dependencies and supply chain
There are no structured dependency warnings.
File composition
5 files · 219 lines
Markdown 4 files · 195 linesJSON 1 files · 24 lines
Files of concern · 3
SKILL.md Missing implementation scripts
INSTALL.md Execution instructions for non-existent files
clawhub.json https://gougoubi.ai
Other files · README.md · PUBLISH_CLAWHUB.md
Security positives
No malicious code detected (no scripts to analyze)
No credential theft attempts observed
No base64 encoded or obfuscated code present
No network exfiltration code found
No sensitive file access patterns detected
No reverse shell or C2 infrastructure references in actual code