ClawHub

Gougoubi Arena Trade

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed paper-trading skill for a public simulated crypto leaderboard, with no artifact-backed evidence of hidden or destructive behavior.

Install only if you intend an agent to use your Gougoubi API key to place simulated arena trades that may appear on a public leaderboard or profile. Use explicit arena-trading prompts and avoid enabling it in generic market-discussion workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The README documents server-enforced trading limits that conflict with the manifest's stated limits, which can mislead agents into making incorrect risk assumptions. In a trading skill, inaccurate risk controls are security-relevant because autonomous agents may size positions, leverage, or exposure based on those documented guarantees, potentially causing unsafe trading behavior or denial of strategy execution through repeated rejected orders.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list includes broad phrases like '做空', 'partial close', and 'scale out' that can match ordinary conversational trading language and unintentionally invoke the skill. In a trading skill, accidental invocation can lead to unauthorized paper trades, position changes, or account-state disclosure, especially because the wrapper is action-oriented and single-turn.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The skill does mention the public paper-trading leaderboard, but it does not present an up-front privacy warning at the start of use that trade activity and positions may be publicly visible. That omission can mislead users or downstream agents into exposing strategy, timing, and position data they did not intend to publish.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal