v1.0.0

lotto-agent

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:24 PM.

Analysis

This appears to be a coherent private lottery assistant, with notable but disclosed local storage, optional API-key use, and confirmable cron-based automation.

GuidanceThis skill looks purpose-aligned for private lottery tracking. Before installing, be comfortable with local record storage, avoid adding API keys unless needed, and only reply to confirm cron automation if you want the skill to keep running scheduled checks in the background.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityInfoConfidenceHighStatusNote

SKILL.md

当用户提到：彩票、双色球、大乐透、七星彩、七乐彩、福彩3D、排列三、排列五、快乐8、选号、开奖、兑奖、中奖、期号、奖池、奖金、报告、盈亏、推荐号码，必须优先使用此 Skill。

The skill defines a broad set of lottery-related triggers and says it must be prioritized. This is aligned with the stated purpose, but users should know it may be invoked for many lottery-adjacent requests.

User impactThe agent may route many lottery-related conversations into this skill.

RecommendationUse the skill when you want lottery assistance, and disable or avoid invoking it if you do not want lottery-related requests handled by its scripts.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

requirements.txt

pytest>=8.0.0

The README recommends installing requirements, and this dependency is specified as a version range rather than an exact pinned version. It is user-directed setup and not evidence of malicious behavior.

User impactInstalling dependencies may fetch a newer package version than the author tested.

RecommendationIf you deploy this skill in a sensitive environment, pin dependency versions or review the dependency before installing.

Rogue Agents

SeverityMediumConfidenceHighStatusNote

scripts/cron_manager.py

return f"*/5 * * * * cd {shell_quote(skill_dir)} && {python_bin} scripts/main.py schedule --push {CRON_MARKER}"

The skill can create a cron entry that wakes the skill every five minutes for automation. The code and README indicate this requires confirmation and has an uninstall path, so it is disclosed persistence rather than hidden behavior.

User impactIf enabled, the skill will keep running scheduled checks in the background until the cron entry is removed.

RecommendationOnly confirm automation if you want ongoing background operation, and use the provided uninstall/cron status actions when you no longer need it.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceMediumStatusNote

scripts/fetch_draw.py

appkey = env(source_config.get("appkey_env", "JISU_APPKEY"))

The skill can use an API key for a draw-data provider when configured. This is consistent with fetching lottery draw data and the README says the default public GitHub source does not require ordinary installers to configure an API key.

User impactIf you provide an API key, the skill can make draw-data requests using that credential.

RecommendationDo not configure provider API keys unless needed, and use a key limited to the lottery-data service.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

scripts/database.py

DB_PATH = DATA_DIR / "lottery.db"

The skill stores lottery tickets, draw data, prize results, reports, settings, and scheduled tasks in a local SQLite database. This is expected for tracking costs and prize checks, but it is persistent local user data.

User impactYour lottery history, costs, purchase status, and automation settings may remain on disk.

RecommendationProtect or delete the local database if the machine is shared, backed up, or later repurposed.