Back to skill

Security audit

Bilibili Auto Transcript

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims, but it handles browser session cookies and sends transcript text to AI APIs with broader automatic behavior than users may expect.

Install only if you are comfortable with the skill using your Bilibili browser login cookies, storing transcripts and metadata locally, and sending transcript excerpts to the AI summary provider configured by OPENAI_API_KEY or .env. Prefer a dedicated browser profile, avoid exporting cookies to shared /tmp paths, review or disable cron jobs you do not want, and leave OPENAI_API_KEY unset if you want local-only transcription.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The documentation says the skill 'only outputs files' and leaves indexing to another component, but elsewhere it states that it writes to SQLite, state files, logs, and CSV reports. This inconsistency can mislead users about the skill's persistence footprint and reduce informed consent around what local data is stored.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The claim that the skill 'just outputs files' understates broader state management behavior such as database updates and log/report generation. Under-disclosure of persistence and metadata collection is risky because users may expose viewing history or transcript metadata without realizing how much local state is retained.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script's declared purpose is transcript retrieval, but it also stores full transcripts and metadata in a SQLite database and renders output files from that database. This expands the data-handling surface beyond what the manifest describes, which can mislead users about persistence, retention, and downstream reuse of collected content.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script accesses browser cookie stores for authentication and later sources a local .env file for API credentials, but these credential-handling behaviors are not disclosed in the manifest. Undisclosed access to local credentials is dangerous because users may run the skill expecting only network retrieval, not local secret discovery and reuse.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script enumerates multiple browser profile paths, including Windows profiles under /mnt/c/Users, to locate reusable cookies automatically. Cross-profile and cross-OS cookie discovery materially increases the chance of collecting credentials the user did not intend to expose, especially in shared or multi-account environments.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs users to configure an API key and obtain logged-in Bilibili cookies, but it does not warn that cookies may grant account access and that transcript, metadata, or summaries may be sent to third-party AI providers when summary generation is enabled. In a skill that scrapes platform content and optionally calls OpenAI-compatible APIs, missing privacy and credential-handling guidance increases the risk of unintended data disclosure or account misuse.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The manual-mode trigger is described as activating whenever the user provides a Bilibili link, without clear scoping or confirmation requirements. In agent environments, broad trigger conditions can cause unintended downloads, network requests, cookie usage, and local writes from casual mentions or pasted links.

Vague Triggers

Low
Confidence
71% confidence
Finding
The automatic scanning mode describes periodic checks and processing but does not clearly define when scanning should run, what scope it covers, or what guardrails prevent unnecessary polling. Ambiguous autonomous behavior increases the chance of unintended network access and background processing beyond the user's expectations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document explicitly instructs users to extract authenticated browser cookies and write them to a world-readable temporary path for accessing private favorites/member videos. Even though presented as operational guidance rather than malware, this handles session credentials in a risky way and lacks strong warnings about credential sensitivity, file permissions, cleanup, or consent boundaries.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script enables AI-generated summaries when OPENAI_API_KEY is present and only prints that the feature is enabled, without clearly disclosing that transcript contents may be sent to a third-party LLM provider. In a transcription workflow, this can expose potentially sensitive video-derived text outside the local environment without informed consent or policy controls.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script reads browser credential material to authenticate subtitle retrieval without a clear upfront warning or explicit consent gate. In an agent-skill context, silent credential reuse is especially risky because users may not inspect the script closely and may not realize local browser secrets are being touched.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script automatically loads API credentials from the environment or a local .env file to trigger AI summary generation, without a strong user-facing warning. This can cause unintended use of paid external APIs and transmission of transcript data to third-party services when the user expected only local transcription.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script sends transcript text and title to an external LLM service, which can expose sensitive or private video content to a third party. In this skill context, transcript data may contain personal, proprietary, or otherwise confidential information, and there is no explicit consent prompt or transmission warning at the moment the data is sent.

External Transmission

Medium
Category
Data Exfiltration
Content
curl -s "https://api.bilibili.com/x/v3/fav/resource/list?media_id=3972051046&ps=20&pn=1"

# 带Cookie访问(私有收藏夹)
curl -s -b /tmp/cookies.txt "https://api.bilibili.com/x/v3/fav/resource/list?media_id=xxx&ps=20&pn=1"
```

## Cookie 提取(私有收藏夹/会员视频用)
Confidence
74% confidence
Finding
https://api.bilibili.com/

YARA rule 'info_stealer': Information stealer patterns (credential harvesting, browser data theft) [malware]

High
Category
YARA Match
Content
--print title \
  "https://www.bilibili.com/video/BV1rPDkB7ESC/"
```
Confidence
88% confidence
Finding
cookies-from-browser "edge:C:/Users/$WIN_USER/AppData/Local/Microsoft/Edge

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

No suspicious patterns detected.