ClawHub

排列五分析工具

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware-like, but it presents mock or unsupported lottery analytics as if they are data-backed guidance for gambling decisions.

Only install this if you will treat it as entertainment or a probability demo. Do not rely on its claimed patterns, percentages, or accuracy figures when spending money; the artifacts do not show real historical data retrieval or validated calculations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The manifest requests `exec` and `web_search` even though the documented purpose is simple lottery analysis and educational probability content. Unnecessary high-privilege tools expand the attack surface: if later prompts, hidden content, or user inputs are routed through this skill, shell execution or external retrieval could be abused for command execution, data exfiltration, or fetching untrusted content.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The function advertises retrieval of recent lottery history but does not call any API or process any real data; it only prints placeholder text. In a tool marketed for analysis, this is deceptive functionality that can mislead users into trusting outputs as data-driven when they are not.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The core 'analysis' features such as hot/cold numbers, difference statistics, and kill-number formulas are hard-coded rather than computed from actual input data. In the context of a gambling-assistance skill, this can materially mislead users into making financial decisions based on fabricated or unverifiable analysis.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal