Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Lottery Predictor
v1.1.0中国体育彩票/福利彩票预测分析工具 - 支持排列三、排列五、大乐透、双色球、七星彩、足彩14场的历史数据分析、号码统计、遗漏值分析及智能推荐
⭐ 0· 75·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared purpose (lottery analysis & recommendations) matches the included predictor and evolution code, but SKILL.md and README reference a command-line script lottery_cli.py and several data files that are not present in the file manifest — this is an incoherence. The presence of a payment integration (payment.py) is plausible for a paid skill, but the SKILL metadata declares no required credentials or env vars while payment.py contains a hardcoded API key instead of using a declared/expected credential mechanism.
Instruction Scope
Runtime instructions tell users/agents to run CLI scripts and to store/read config/history under data/, which aligns with the code. However SKILL.md references lottery_cli.py and multiple history files that are not in the manifest, creating a mismatch between instructions and available files. The code also performs outbound network calls (SkillPay API) although the SKILL.md does not explicitly describe or warn about contacting third-party payment endpoints.
Install Mechanism
There is no install spec (instruction-only), which reduces install-time risk. However the code depends on Python and the 'requests' library (used in payment.py) but no dependencies are declared; users may need to install requests manually. No external binary downloads or archive extraction are present.
Credentials
The skill declares no required env vars/credentials but payment.py embeds a long secret API key (SKILLPAY_API_KEY) in source. Hardcoded keys are a security/privacy risk and break the expected model of declaring credentials. The payment module makes outbound requests to api.skillpay.io; while this relates to a payment feature it is disproportionate to an otherwise offline analysis tool unless the skill is explicitly paid.
Persistence & Privilege
The skill stores configuration and history under its own data/ directory (evolution_config.json, prediction_history.json) which is consistent with its purpose. always:false and no OS restrictions mean it does not request elevated or persistent platform-wide privileges. It does write files to its local data directory, which is expected behavior.
What to consider before installing
This skill contains working analysis code, but there are two red flags you should consider before installing or running it: (1) SKILL.md/README reference a CLI (lottery_cli.py) and several data files that are not included in the manifest — confirm the missing files or ask the author for the complete package; (2) payment.py contains a hardcoded SkillPay API key and performs network calls to api.skillpay.io. Hardcoded keys are sensitive and may indicate sloppy or unsafe handling of secrets (or a leaked developer key). Recommended actions: do not run this on a sensitive or production machine; inspect the code locally in a sandbox; remove or replace hardcoded credentials and switch to environment variables if you accept the payment integration; verify the skill source/author and request the missing CLI/data files or an explanation; consider running with network access disabled if you only need offline analysis. If you plan to use the payment feature, verify with the SkillPay service that the embedded key is legitimate and intended to be public (preferably it should not be).Like a lobster shell, security has layers — review code before you run it.
latestvk97at27n2cya2gp4m8y92c7jwx8434a2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.