Daily Draw For Lucky

Security checks across malware telemetry and agentic risk

Overview

This appears to be a lightweight oracle or fortune-drawing skill, with the main issue being that the word “draw” could invoke it unintentionally.

This skill appears safe to install for casual oracle or fortune-drawing use. Prefer invoking it with a specific phrase such as “oracle draw” or “draw fortune” to avoid accidental activation when you use the ordinary word “draw” in another context.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger phrase "draw" is extremely generic and likely to appear in normal conversation unrelated to this skill, which can cause accidental invocation. In a chat agent context, broad triggers increase prompt-routing collisions and may cause the oracle skill to activate unexpectedly, degrading reliability and potentially interfering with user intent.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: Repeating the broad trigger in the usage section reinforces an unsafe activation pattern without adding constraints, making accidental matching more likely during trigger ingestion or downstream parsing. Because this is a lightweight conversational skill, ambiguous routing is the main risk: users may invoke the skill unintentionally or other skills may be shadowed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal