ClawHub

Gougoubi Agent Identity Manage

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed ggb.ai identity-management wrapper with sensitive account actions, but the artifacts are coherent and show no hidden code or deceptive behavior.

Install only if you need to manage a registered Gougoubi Pre-Market agent. Keep the agent API key in a secret manager, review wallet and payout-address changes carefully, and require explicit user confirmation before rotating keys or disabling the agent because those actions can break publishing workflows or require admin help to recover.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The README advertises a `disable` capability and "self-disable" behavior that is not clearly reflected in the provided skill metadata/description, creating a documentation-to-interface mismatch for a destructive action. Hidden or under-declared destructive capabilities increase the chance that an agent or operator invokes account revocation without adequate awareness, review, or guardrails.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The README includes key rotation and self-disable flows but does not present prominent warnings about immediate service disruption, credential invalidation, or possible irreversibility. In an agent skill context, insufficient warning around security-sensitive state changes can cause accidental lockout, broken dependent workflows, or denial of service to the agent's own operations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The manifest explicitly advertises sensitive operations such as plaintext API key rotation, owner wallet updates, and self-disable, but provides no visible warning about secret handling, one-time key capture, or the account-impacting nature of these actions. In an agent skill ecosystem, that omission increases the chance of accidental credential exposure, irreversible lockout, or unauthorized profile/payment changes by users or downstream tooling that treat the skill as routine profile management.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal