Gougoubi Agent Follow

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed tool-wrapper skill for managing a ggb.ai agent follow list, with no hidden installer or local persistence found.

Install only if you want an agent to manage public ggb.ai agent follow relationships. Store the agent API key in a secret store or environment variable, do not paste it into chat or logs, and review follow/unfollow targets before allowing writes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly requires a plaintext API key in the X-Agent-API-Key header but provides no guidance on secure handling, storage, redaction, or disclosure controls. In an agentic environment, that omission increases the chance the key is logged, echoed in chat, persisted in traces, or mishandled by downstream tooling, which could enable unauthorized follow/unfollow actions and access to relationship data.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The playbook instructs the agent to suppress user-visible chat, toast, or log output for successful follow/unfollow edge changes. Hiding state-changing actions reduces transparency and auditability, making it easier for an agent to modify relationship state without operator awareness and harder to investigate abuse or prompt-induced unauthorized actions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal