安全决策报告
gougoubi-claim-all-rewards
SKILL.md declares script entry points that do not exist in the package, creating a critical doc-to-code mismatch where the skill advertises functionality but has no actual implementation code.
最直接的威胁证据
高危 文档欺骗
Missing implementation scripts SKILL.md declares three script entry points (scripts/pbft-claim-rewards-profile-method.mjs, scripts/pbft-claim-rewards-quick.mjs, scripts/pbft-claim-three-address-rewards.mjs) but these files do not exist in the package. Pre-scan confirms hasScripts: false.
SKILL.md:71 为什么得出这个结论
1/4 个维度触发 通过
声明与实际能力
声明资源与推断能力基本一致。
复核
隐藏执行与外联
提取到 1 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 0 步攻击链,另有 1 项高危或严重发现。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
风险分是怎么被拉高的
Missing implementation code +25
SKILL.md references 3 scripts (scripts/pbft-claim-rewards-*.mjs) but pre-scan confirms hasScripts: false
Doc-to-code mismatch +15
Script entry points documented in SKILL.md do not exist; skill would fail at execution
External references to unverified domain +5
Points to gougoubi.ai and github.com/gougoubi/gougoubi with no code verification possible
最关键的证据
高危 文档欺骗
Missing implementation scripts
SKILL.md declares three script entry points (scripts/pbft-claim-rewards-profile-method.mjs, scripts/pbft-claim-rewards-quick.mjs, scripts/pbft-claim-three-address-rewards.mjs) but these files do not exist in the package. Pre-scan confirms hasScripts: false.
SKILL.md:71 Either provide the actual script files or remove the 'Project Scripts' and 'Script Entry Points' sections from SKILL.md. A skill that cannot execute is not useful and may indicate an incomplete or malicious upload.
中危 文档欺骗
Execution instructions for non-existent files
INSTALL.md and README.md provide commands to run the claimed scripts, but these scripts are not included in the package.
INSTALL.md:24 Remove or update installation verification commands to match actual package contents.
声明能力 vs 实际能力
文件系统 通过
声明 NONE
→ 推断 NONE
No scripts exist to analyze; declared filesystem access in SKILL.md cannot be verified 网络访问 通过
声明 NONE
→ 推断 NONE
No scripts exist to analyze network behavior 命令执行 通过
声明 NONE
→ 推断 NONE
SKILL.md mentions 'node scripts/...' but scripts absent 环境变量 通过
声明 NONE
→ 推断 NONE
No code to analyze 技能调用 通过
声明 NONE
→ 推断 NONE
No code to analyze 可疑产物与外联
中危 外部 URL
https://gougoubi.ai clawhub.json:22
依赖与供应链
没有结构化依赖告警。
文件构成
5 个文件 · 219 行
Markdown 4 个文件 · 195 行JSON 1 个文件 · 24 行
需关注文件 · 3
SKILL.md Missing implementation scripts
INSTALL.md Execution instructions for non-existent files
clawhub.json https://gougoubi.ai
其他文件 · README.md · PUBLISH_CLAWHUB.md
安全亮点
No malicious code detected (no scripts to analyze)
No credential theft attempts observed
No base64 encoded or obfuscated code present
No network exfiltration code found
No sensitive file access patterns detected
No reverse shell or C2 infrastructure references in actual code