Gougoubi Pump Lifecycle

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate-looking crypto market lifecycle skill, but it needs Review because broad commands can lead into wallet-signed on-chain actions that affect funds.

Install only if you understand the Gougoubi pump contracts and the dependent skills. Use a dedicated low-balance wallet, avoid unlimited token approvals, verify proposal and condition IDs, and require a full transaction preview before signing any create, trade, settle, dispute, claim, approval, or LP action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrase 'go from idea to settlement' is broad enough to auto-route users into an end-to-end workflow that includes irreversible contract writes and fund-affecting actions. In an agentic environment, ambiguous invocation increases the risk of the skill activating when the user intended only advice, status checks, or planning, leading to unintended proposal creation, settlement, or claims.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The top-level description does not immediately warn that the skill can initiate irreversible on-chain transactions, move user assets, and settle markets. Because this is a high-impact financial workflow, missing an upfront warning materially raises the chance of uninformed consent, accidental invocation, or users underestimating the consequences of broad lifecycle commands.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal