ClawHub

Lottery Analyzer Backup 20260418 083724

Security checks across malware telemetry and agentic risk

Overview

This lottery-analysis skill writes local lottery data and prediction files, but the behavior is disclosed, purpose-aligned, and confined to the skill’s own files.

Install only if you are comfortable with the skill modifying its bundled lottery CSV and saving prediction, report, and result JSON files locally. Use --no-save when you do not want prediction history retained, and do not enable any message-hook integration unless you intentionally want lottery-looking messages to trigger updates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This section expands the skill from passive analysis into automatic ingestion of incoming draw messages and writing them into the bundled dataset. Any feature that transforms external messages into persistent local changes increases the attack surface for malformed input, accidental corruption, or unauthorized state changes, even if the stated goal is legitimate.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The OpenClaw hook integration introduces automated processing of external messages, which is materially broader than a simple lottery-analysis skill. Message-triggered execution can cause unintended activation, persistent file writes, and processing of untrusted content without a clear interactive review step.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description advertises '智能预测' without clearly constraining what predictions are allowed, what data is used, or how uncertainty is communicated. In a lottery skill, broad prediction framing can mislead users into treating speculative outputs as authoritative recommendations, increasing risk of deceptive or irresponsible behavior.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The default execution path automatically writes prediction records containing issue numbers, recommendations, and metadata to disk unless the user explicitly opts out with --no-save. In an agent/skill environment, silent persistence can create privacy and data-retention risks, and similar logic elsewhere also saves winning results only in certain output paths, making retention behavior inconsistent and easy for users to miss.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal