Security audit

Shuangseqiu Generator

Security checks across malware telemetry and agentic risk

Overview

This is a local entertainment lottery-number generator that uses a birthday and optional name for personalization, with no evidence of network access, storage, credentials, persistence, or destructive behavior.

Install only if you are comfortable using an entertainment-style lottery generator. Provide a real birthday or name only if you are comfortable sharing them with the local agent context; there is no artifact evidence that the script stores or transmits that data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger phrases are broad enough to activate on common lottery-related requests without clearly constraining when this skill should run or what data it should ask for. In an agent environment, this can cause inappropriate invocation and unnecessary collection or use of sensitive personal data such as birthdate and name for a non-essential entertainment feature.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill requests and processes personal data including birthdate and name, but the description does not warn users that such data will be used to generate outputs. This creates a privacy and consent issue because users may provide sensitive information without understanding why it is needed or that it will be deterministically incorporated into the generated numbers.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal