ClawHub

彩票助手

Security checks across malware telemetry and agentic risk

Overview

This lottery helper does what it says: it fetches public lottery results, can export them to user-chosen files, and generates entertainment-only number recommendations.

Before installing, be aware that the skill contacts the third-party site 17500.cn and can write txt, md, xlsx, or sqlite files to paths you choose. Use sensible output paths, treat recommendations as entertainment only, and expect backtesting to use more time and CPU.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill instructs the agent to perform outbound network access to fetch lottery data and to write files in multiple export formats, but no permissions are declared. This creates a capability/permission mismatch that can bypass user and platform expectations, making data exfiltration or unauthorized file creation harder to govern and audit.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger list includes broad everyday words such as '彩票' and '开奖', which can cause the skill to activate in loosely related conversations. Over-broad activation can unintentionally invoke network queries or file-export workflows without the user clearly intending to use this specific skill.

External Transmission

Medium
Category
Data Exfiltration
Content
## 数据接口

详见 `references/apis.md`(数据源:`https://data.17500.cn/{code}_{asc|desc}.txt`)

## 中奖率详细数据
Confidence
76% confidence
Finding
https://data.17500.cn/

External Transmission

Medium
Category
Data Exfiltration
Content
import urllib.request

def fetch_latest(code, n=1):
    url = f"https://data.17500.cn/{code}_desc.txt"
    req = urllib.request.Request(url, headers={"User-Agent": "Mozilla/5.0"})
    with urllib.request.urlopen(req, timeout=15) as r:
        return r.read().decode("utf-8").strip().split("\n")[:n]
Confidence
83% confidence
Finding
https://data.17500.cn/

External Transmission

Medium
Category
Data Exfiltration
Content
```python
def fetch_range(code, start_date, end_date):
    url = f"https://data.17500.cn/{code}_asc.txt"
    req = urllib.request.Request(url, headers={"User-Agent": "Mozilla/5.0"})
    with urllib.request.urlopen(req, timeout=15) as r:
        lines = r.read().decode("utf-8").strip().split("\n")
Confidence
83% confidence
Finding
https://data.17500.cn/

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal