体彩兑奖
PassAudited by ClawScan on May 10, 2026.
Overview
This lottery-checking skill is mostly purpose-aligned and does not show credential use, persistence, or data exfiltration, but it does make an external API call with TLS certificate verification disabled.
This skill appears safe for basic lottery checking, but use it as a convenience tool only. Confirm any winning result through an official channel, especially because the script disables HTTPS certificate verification when retrieving draw data.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network attacker or misconfigured proxy could potentially spoof the lottery result data shown by the report, though the visible code does not send credentials or user lottery numbers to that API.
The script fetches lottery data over HTTPS but disables hostname and certificate verification. The network call is purpose-aligned, but disabling verification weakens trust in the returned draw data.
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
...
with urllib.request.urlopen(req, timeout=15, context=ctx) as resp:Treat results as informational and verify winnings with the official lottery source. The maintainer should remove the disabled TLS verification and use normal certificate validation.
Users have less external context for who maintains the skill or where the code originally came from.
The skill has no public source or homepage listed, which limits independent provenance review. This is mitigated by the absence of an install script or dependency download in the provided artifacts.
Source: unknown Homepage: none No install spec — this is an instruction-only skill.
Prefer skills with a verifiable source repository when possible, or review the included script before use.