Skillv1.0.2

ClawScan security

大乐透开奖查询 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 13, 2026, 4:22 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are consistent with a lottery-results lookup tool: it fetches public webpages, parses draw data, and does not request credentials or install third-party packages.
Guidance: This skill appears coherent: it fetches public lottery webpages and parses draw information, and it does not request credentials or install remote code. Things to consider before installing or running: 1) The scripts perform outbound HTTP requests to the listed public sites—ensure you are comfortable with network access and any site terms of service. 2) Some data sources use JavaScript/dynamic loading; web_fetch or urllib may return incomplete pages—the skill already documents this limitation and labels third-party results accordingly. 3) If you want extra assurance, review scripts/dlt_lottery.py yourself or run scripts/test_dlt_lottery.py (simulated mode) in a sandboxed environment before allowing autonomous invocation. 4) No secrets are requested, but as with any skill that makes network requests, verify you trust the data sources and are aware of possible parsing errors.

Purpose & Capability: okName/description match the included Python script and SKILL.md. All requested actions (HTTP fetch of public lottery pages, HTML parsing, multi-source fallback) are appropriate for a '大乐透开奖查询' skill.
Instruction Scope: okSKILL.md and the scripts only instruct the agent to fetch public web pages and parse results, or run the bundled Python script. There are no instructions to read unrelated local files, access secrets, or exfiltrate data to unexpected endpoints. The skill explicitly notes third-party sources and marks them as '仅供参考.'
Install Mechanism: okNo install spec is provided (instruction-only plus included scripts). The code files are bundled with the skill; there are no external downloads, package installs, or archive extraction steps in the manifest.
Credentials: okThe skill does not declare or require any environment variables, credentials, or config paths. The Python script performs only outbound HTTP requests to public sites and local formatting/validation.
Persistence & Privilege: okThe skill is not marked always:true and uses default invocation settings. It does not attempt to modify other skills or system-wide settings.