Lottery Predictor V3 8

Security checks across malware telemetry and agentic risk

Overview

This is a local lottery-analysis skill whose database use and backtest report writing are mostly disclosed and fit its purpose, though users should not rely on its gambling accuracy claims.

Install only if you want a local entertainment and backtesting tool. Verify the database path before running it, expect backtests to create or overwrite local report files, and do not treat the advertised accuracy as financial or gambling advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill advertises no explicit permissions, yet the documented file structure and behavior indicate it can write files, such as generating Markdown backtest reports. Undeclared write capability reduces transparency and prevents users or the platform from making an informed trust decision, which can enable unexpected local file modification.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: The declared purpose is lottery prediction, but the skill also accesses a local SQLite database, performs backtesting, and writes Markdown reports to the filesystem. This mismatch is dangerous because users may invoke a seemingly simple prediction tool without realizing it reads local data and creates artifacts on disk, expanding both privacy and integrity risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal