ClawHub

体彩兑奖

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed lottery-result checker, but its HTTPS request is insecure and users should verify any result with an official source.

Install only if you are comfortable using it as a convenience checker. Because the script accepts unverified HTTPS responses, a hostile network could tamper with displayed draw results; confirm winnings and prize amounts through an official lottery source. The maintainer should remove the TLS verification bypass before users rely on it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill appears to rely on external network access to query lottery results, but the manifest does not declare that capability. Undeclared network behavior reduces transparency and prevents users or a permission system from making an informed trust decision about external data access. In this context the network use is aligned with the stated function, so the risk is primarily hidden capability and policy bypass rather than obviously malicious behavior.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented purpose says the skill checks user-provided lottery numbers, but it also depends on fetching live draw data from an external API without clearly disclosing that behavior. This description-behavior mismatch can mislead users about data flows, reliability, and privacy exposure, especially if submitted numbers are transmitted to a third party. The skill context makes the behavior plausible, which lowers suspicion of malice, but the lack of disclosure still creates a real security and trust issue.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code explicitly disables TLS certificate validation and hostname verification before calling the remote lottery API. This allows a man-in-the-middle attacker or hostile network environment to spoof the API endpoint, tamper with draw results, or inject misleading data that the tool presents as official, undermining integrity and trust.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal