lotto-results

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The SKILL.md explicitly states the skill uses the k-lotto package to read the public 동행복권 result page HTML and fetch JSON detail responses (e.g., "최신 회차는 결과 페이지 HTML에서 읽기" and detail info from 동행복권), so it ingests open/public third-party content that the agent reads and uses to make decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill instructs installing and requiring the external npm package k-lotto at runtime (via commands like npm install -g k-lotto and require("k-lotto")), which fetches and executes code from the npm registry (e.g., https://registry.npmjs.org/k-lotto) that the skill depends on to operate.