Sports Betting Analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill is a betting-analysis tool that gives stake recommendations while relying heavily on simulated or random data, so users should review it carefully before installing.

Install only if you understand this is an MVP/demo-style betting assistant using simulated and random data. Do not treat its predictions, value-bet labels, or stake percentages as reliable betting advice, and check local gambling laws and your own risk limits before using it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The stored report presents a concrete betting-oriented output ('建议投注：1.0%') while the same report states it is not betting advice. In a sports-betting assistant, this contradiction can mislead users into treating the output as actionable wagering guidance despite the disclaimer, increasing legal, compliance, and user-harm risk.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: This report again gives a specific betting figure despite an embedded disclaimer denying that the analysis constitutes betting advice. Repeating this pattern in persisted history normalizes contradictory messaging and may cause users or downstream systems to interpret the skill as an advisory tool.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The third report repeats the same inconsistency: a concrete suggested betting amount is displayed alongside a non-advisory disclaimer. In this domain, users may rely on even low-confidence numerical stake cues, so the contradiction materially increases the chance of harmful reliance.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The code presents itself as a data-driven sports betting analyzer, but a component of the betting recommendation (`value_bet`) is determined randomly rather than from actual data or model output. In a gambling-related context, this can mislead users into placing bets based on fabricated analysis, creating financial harm and undermining trust in the system's outputs.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The inline comment explicitly states the correct method for evaluating a value bet, but the implementation ignores that and returns a random result. This mismatch is dangerous because it gives users false confidence that the recommendation is analytically grounded when it is actually arbitrary, which is especially risky in a betting-assistance tool.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The module is presented as collecting and storing match, odds, and injury data, but it actually fabricates those values with random outputs. In a sports-betting context, this is dangerous because downstream predictions and betting advice may appear data-driven while being based on invented inputs, creating a material risk of deceptive or harmful decision support.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The docstrings and comments describe real-world data collection for statistics, head-to-head records, odds, and injuries, but the implementation generates synthetic values instead. Because this skill is explicitly for betting analysis, the mismatch can mislead users or other components into trusting fabricated evidence as factual, amplifying financial and reputational harm.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The implementation claims to predict total points from offensive and defensive data, but it actually ignores all input features and returns random values. In a sports-betting assistant, presenting random outputs as data-driven predictions can mislead users into making financial decisions based on fabricated analysis.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The over/under function is documented as a prediction method, but it returns essentially random probabilities unrelated to match features. In the context of betting advice, this creates deceptive output that may cause users to trust and act on meaningless recommendations.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The code explicitly generates betting actions such as '推荐投注' and assigns stake percentages, despite positioning the tool as decision support only. In a gambling-related skill, this contradiction can mislead users into treating the output as actionable financial advice, increasing legal, compliance, and user-harm risk.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The disclaimer says the analysis is not betting advice, but elsewhere the report includes a dedicated betting recommendation section with suggested actions and percentages. This inconsistency is dangerous because users may rely on the actionable content while the disclaimer attempts to shift responsibility, which is especially concerning in a sports-betting context.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The example trigger phrases are generic natural-language requests such as asking what games are worth betting on or requesting weekend recommendations, which can easily overlap with ordinary conversation and unintentionally invoke the skill. In a betting context, accidental activation is more sensitive because it can steer users toward gambling-related advice without a clearly intentional opt-in.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal