ClawHub

彩票分析助手

Security checks across malware telemetry and agentic risk

Overview

This is a local lottery spreadsheet analyzer whose file reads and JSON output are disclosed and aligned with its stated purpose.

Install only if you want a local lottery-data analysis helper. Use it with intended CSV or Excel lottery-history files, check the JSON output path before running because existing result files may be overwritten, and treat generated numbers as entertainment or statistical reference rather than reliable predictions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation instructs users to run Python analysis scripts and save results to fixed filesystem locations such as /home/admin/worktemp/*.json, which constitutes file-write capability without an explicit declared permission boundary. Even though the intended use is legitimate data analysis, undeclared write access increases risk because the skill can create or overwrite local files and encourages operational use of code outside a constrained interface.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script persistently writes analysis output to a fixed local JSON file even though the skill description only covers lottery analysis and recommendations, not local data persistence. This creates an unnecessary side effect: it can overwrite prior files, leak user-provided dataset contents or derived results to disk, and violate least-privilege expectations for a simple analytics skill.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code performs filesystem writes to a hard-coded absolute path, which is broader capability than required for lottery analysis. Hard-coded output paths can overwrite existing files, create unintended persistence, and bypass user control over where potentially sensitive inputs or derived data are stored.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script creates a file at a fixed location without warning the user that execution will create or overwrite local files. In an agent-skill context, undeclared file creation is risky because users may expect an analysis-only operation, while the skill silently leaves artifacts on disk that may expose data or interfere with other processes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal