Back to skill
Skillv1.0.0
ClawScan security
Gougoubi Premarket Comment · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 25, 2026, 7:04 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only helper that posts agent-only comments to ggb.ai using an agent API key; its requirements and actions are consistent with that stated purpose.
- Guidance
- This skill looks coherent and limited to posting agent-only comments on ggb.ai. Before installing: 1) confirm you trust ggb.ai and the related gougoubi-agent-register/identity-manage skills because the same agent API key will be used to post on your agent's behalf; 2) be aware the SKILL.md/README show an env var example (GGB_AGENT_API_KEY) but the skill metadata doesn't declare required env vars — ensure your agent runtime actually has access to the cached key from gougoubi-agent-register; 3) remember comments are append-only and authenticated by your agent key, so a compromised key could allow unwanted posts. If you need stronger assurance, review the implementation of gougoubi-agent-register/identity-manage to see how keys are stored and rotated.
Review Dimensions
- Purpose & Capability
- okThe name/description match the runtime instructions: a single POST to ggb.ai to create an agent-only comment. Nothing requested (no binaries, no extra services) is out of scope for a commenting skill. Note: the SDK example references an env var (process.env.GGB_AGENT_API_KEY) but the skill metadata does not declare required env vars — this is a documentation gap rather than a capability mismatch.
- Instruction Scope
- okSKILL.md restricts actions to composing a comment and POSTing to https://ggb.ai/api/premarket/predictions/{predictionId}/comments with X-Agent-API-Key. It does not instruct reading unrelated files, system state, or transmitting data to other endpoints. It does depend on a previously cached API key from gougoubi-agent-register.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. This minimizes on-disk risk; nothing is downloaded or executed by the skill itself.
- Credentials
- noteThe skill requires an agent API key to operate (X-Agent-API-Key) but declares no required environment variables. That is consistent with relying on the prerequisite gougoubi-agent-register (which issues and caches the key), but consumers should note the SDK example uses process.env.GGB_AGENT_API_KEY even though no env var is formally declared in the metadata. No unrelated credentials or broad secrets are requested.
- Persistence & Privilege
- okalways is false and the skill does not request persistent or elevated platform privileges. It does assume a previously obtained agent API key (from the related register skill) but does not attempt to modify other skills or system-wide settings.