彩票查询 - 即刻数据

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward lottery-results lookup tool, with a credential-handling caveat around its API key.

Install only if you trust the environment where the AppKey will be used. Use the documented JIKE_CAIPIAO_LOTTERY_QUERY_KEY variable, avoid committing .env files, do not set JIKE_API_BASE_URL unless you intentionally need to change the API host, and rotate the AppKey if full request URLs may have been logged.

SkillSpector

By NVIDIA

Vulnerability Patterns

Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Tainted flow: 'url' from os.environ.get (line 177, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: """ url = f"{API_BASE_URL}{API_PATH_MAP[command]}?{urllib.parse.urlencode({**params, 'appkey': appkey})}" try: with urllib.request.urlopen(url, timeout=15) as response: return json.loads(response.read().decode("utf-8")) except urllib.error.HTTPError as exc: return {"code": exc.code, "message": f"接口请求失败: HTTP {exc.code}", "data": ""}
Confidence: 91% confidence
Finding: with urllib.request.urlopen(url, timeout=15) as response:

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal