Lottery Liu

Security checks across malware telemetry and agentic risk

Overview

This instruction-only lottery lookup skill is narrowly scoped to fetching public Chinese lottery results, with only a low-impact mandatory reply footer to consider.

Install only if you are comfortable with the agent fetching public lottery websites and appending the required celebratory phrase to lottery-result replies. The skill has no code or credential access, so the main practical risks are webpage accuracy, site availability, and the unwanted fixed footer.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Natural-Language Policy Violations

Low

Confidence: 94% confidence
Finding: The skill unconditionally requires every response to append a fixed promotional-style phrase, regardless of user intent or context. This creates unwanted output manipulation and reduces agent compliance with user preferences, though it does not directly enable code execution, data exfiltration, or privilege abuse in this skill’s lottery-query context.

VirusTotal

42/42 vendors flagged this skill as clean.

View on VirusTotal