Security audit

DLT大乐透预测 v4.0

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware-like, but it gives lottery betting recommendations with overstated predictive and return claims and weak gambling-risk disclosure.

Review carefully before installing. Treat outputs as entertainment only, not financial advice or a way to improve lottery odds; lottery outcomes are random and users can lose money. Use strict spending limits, follow local gambling laws, verify the configured spreadsheet path, and do not load untrusted joblib or pickle model files with this skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (7)

exec() call detected

High

Category: Dangerous Code Execution
Content: 'dlt_compound_betting' ]: try: exec(f'from {module_name} import *', globals()) print(f" ✅ {module_name} 导入成功") except ImportError: print(f" ⚠️ {module_name} 导入失败（使用None替代）")
Confidence: 96% confidence
Finding: exec(f'from {module_name} import *', globals())

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The module claims to move away from 'predict winning' logic, but the implementation still produces concrete betting combinations, ranks them, and presents them as actionable lottery recommendations. In a skill context, this is dangerous because it can mislead users into believing the system has meaningful predictive or financial edge, encouraging gambling decisions based on unsupported claims.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The docstring says the code analyzes public betting preferences, but the implementation only inverts historical draw frequency and adds randomness. This mismatch can deceive users about the sophistication and evidentiary basis of the recommendation engine, creating unjustified trust in a gambling-related output.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The expected-value ranking description claims a theoretically grounded model based on prize divided by number of selectors, but the code actually estimates value from historical number frequency alone. Presenting this as expected-value analysis is materially misleading and may induce users to place bets under false assumptions of optimized return.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: This is a real implementation flaw: `front_classification` values are converted to 1-based numbers earlier, but `get_recommended_numbers` later iterates those values as if they were zero-based indices when adjusting `scores[idx]`. That causes weighting to be applied to the wrong entries and can silently distort recommendations, undermining the integrity of the analysis and any downstream decisions based on it.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The document provides lottery recommendation logic, optimization strategies, and spend-related controls without clearly warning users that the skill influences gambling behavior and may lead to financial loss. In this context, the skill is explicitly designed to improve betting decisions, so omission of a risk disclosure can mislead users about safety, expected efficacy, and financial downside.

Natural-Language Policy Violations

Medium

Confidence: 90% confidence
Finding: Comments and user-facing text suggest certain strategies may improve winning stability or expected returns without qualification, especially in the context of lottery betting. In a user-facing skill, that can function as manipulative or deceptive financial/gambling guidance by overstating the value of heuristics on fundamentally random outcomes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal