体彩兑奖
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network attacker or misconfigured proxy could potentially spoof the lottery result data shown by the report, though the visible code does not send credentials or user lottery numbers to that API.
The script fetches lottery data over HTTPS but disables hostname and certificate verification. The network call is purpose-aligned, but disabling verification weakens trust in the returned draw data.
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
...
with urllib.request.urlopen(req, timeout=15, context=ctx) as resp:Treat results as informational and verify winnings with the official lottery source. The maintainer should remove the disabled TLS verification and use normal certificate validation.
Users have less external context for who maintains the skill or where the code originally came from.
The skill has no public source or homepage listed, which limits independent provenance review. This is mitigated by the absence of an install script or dependency download in the provided artifacts.
Source: unknown Homepage: none No install spec — this is an instruction-only skill.
Prefer skills with a verifiable source repository when possible, or review the included script before use.