ClawHub

Bbc Skill

Security checks across malware telemetry and agentic risk

Overview

The skill does collect Bilibili comments as advertised, but it also silently self-updates and can automatically read browser session cookies, so it needs Review before installation.

Install only if you are comfortable with a skill that can use your Bilibili session cookies and may inspect local browser cookie stores when no explicit cookie file is supplied. Prefer passing a specific --cookie-file, avoid browser auto-detection, remove or disable the silent auto-update instruction, and do not share generated outputs because they can contain user IDs, nicknames, comments, and IP-location metadata.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (28)

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The top-level description frames the skill as a read-only comment fetch/export tool, but the documented behavior expands into broader account-linked operations such as batch collection by UID, cookie ingestion from multiple sources, browser cookie auto-detection, and logged-in user inspection. This mismatch can cause agents or users to authorize the skill under a narrower trust model than the behavior actually requires, increasing the chance of unintended credential exposure and overbroad data access.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to silently run `git pull` and update local files before normal operation, which introduces remote code changes unrelated to the immediate user request. Silent network-based self-update expands the trust boundary to the current state of a repository and can result in unreviewed code execution paths or behavior drift without user awareness.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The skill claims all commands are read-only, but the documented auto-update step performs both repository modification and filesystem writes to `.last_update`. This inconsistency can mislead users and orchestrators into granting trust appropriate for a passive data reader while the skill actually changes local code and state.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The document instructs the skill to obtain active Bilibili session cookies from multiple secret-bearing sources, including environment variables, cached local files, and automatic browser extraction. For a skill described as read-only comment collection, this materially broadens capability into credential harvesting and reuse, enabling full authenticated account access if the cookie is mishandled or abused.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
This section documents decrypting Chrome/Edge cookies via macOS Keychain-derived material and local database access, which is credential-access behavior rather than ordinary API consumption. Even if intended to help the user authenticate, embedding OS credential-store access and decryption steps in the skill creates a high-risk pathway for session theft and privilege misuse.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The claim that the skill 'only calls api.bilibili.com directly' is misleading because the document also describes reading local secret stores, browser databases, and decrypting stored cookies. That mismatch can cause users or reviewers to underestimate the skill's actual privilege boundary and credential-access behavior.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The skill metadata emphasizes fetching comments for a single video by BV/URL/UID, but the CLI also includes `fetch-user`, which batches all videos for a creator UID. That materially expands collection scope from targeted retrieval to account-wide enumeration, increasing the chance of overcollection and user surprise, especially when authenticated cookies are used.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The module persists Bilibili authentication cookies to ~/.config/bbc-skill/cookie.json for reuse, which expands the skill from transient read-only fetching into local secret storage. Even though chmod(0600) is attempted, storing session cookies on disk increases the chance of credential theft via local compromise, backups, or accidental disclosure, and this behavior is not aligned with the stated read-only comment-fetching scope.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The file implements extraction of browser cookies from Chrome-family profiles, pulls the Safe Storage secret from macOS Keychain, and decrypts cookie values to recover session tokens such as `SESSDATA`. That is not reasonably justified by a skill described as fetching public Bilibili video comments for self-analysis, and it creates a credential-harvesting capability that could enable account takeover or unauthorized access.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The manifest claims a read-only comment analysis tool, but the code accesses macOS Keychain, reads browser cookie databases, copies them to temporary files, and decrypts cookie values. This mismatch is dangerous because it conceals sensitive credential access behind an innocuous description, increasing the likelihood that users or reviewers will trust and run it without understanding the privacy and account-security implications.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This code enumerates Firefox profiles, copies the browser cookie database, and extracts cookies for bilibili.com, specifically returning them when a SESSDATA session cookie is present. That is credential-access behavior: session cookies can authenticate as the user and exceed the stated read-only comment-export purpose, making account/session compromise possible if the data is reused, logged, or exfiltrated.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The schema defines a `cookie-check` command that validates a user's Bilibili cookie and returns logged-in user info, which is broader than the manifest's stated purpose of collecting and exporting video comments. Even if intended for diagnostics, exposing account-validation/user-info capability increases access to authenticated identity data and expands the skill's effective privilege surface beyond comment retrieval.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The schema supports browser cookie auto-detection and optional cookie file paths for comment-fetching commands, which expands the skill from simple read-only data collection into local credential discovery and use. In an agent context, this is sensitive because it enables access to browser-stored authentication material that may be unnecessary, surprising to users, and reusable for actions beyond the stated comment-export purpose if other code misuses it.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
A silent auto-update that performs network fetches and local writes without notifying the user creates a supply-chain risk and undermines auditability. Even if intended for convenience, hidden updates can introduce malicious or broken changes, bypass change-control, and make incident investigation harder because behavior may differ run to run.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill enables implicit invocation without any activation constraints, so a general user request about Bilibili comments could automatically trigger a workflow that requests or uses sensitive authentication material. In this skill’s context, that is more dangerous because the advertised functionality depends on browser-exported cookies and batch collection, which increases the chance of unintended credential handling or data collection without explicit user confirmation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
`cookie-check` resolves browser or file-based cookies and immediately sends them to a remote API to validate session state, without any visible in-command warning or explicit consent flow in this file. Even though the feature is functional rather than overtly malicious, transmitting locally sourced auth material to verify identity is privacy-sensitive and can surprise users who do not expect browser cookies to be accessed.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The `fetch` command uses resolved authentication cookies for remote collection and writes results to disk, but this file provides no strong user-facing disclosure beyond argument names. In a security review context, silent use of browser cookies plus local persistence of collected content can create privacy and consent risks, especially if invoked by an agent on a user's machine.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
`fetch-user` combines authenticated requests with batch collection across a creator's videos and writes the aggregate results locally, again without an explicit disclosure in this file. Because this mode broadens scope significantly, the lack of warning is more dangerous than single-video fetch: it can lead to unexpectedly large-scale data collection using the user's logged-in session.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Sensitive session cookie data is written as plaintext JSON to a predictable config path without any in-file user warning or consent flow. Although file permissions are tightened on a best-effort basis, plaintext persistence of reusable session tokens can allow account takeover if another local process, user, backup system, or synchronization tool accesses the file.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code silently fetches the browser Safe Storage password from Keychain and derives a decryption key without any user-facing notice or confirmation. Even if the ultimate goal is only comment retrieval, silently accessing sensitive local credentials violates user expectations and can expose authentication material for unrelated browser activity.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The function copies browser cookie databases to a temporary file, enumerates matching cookies, and decrypts them without any interactive warning or consent. This expands exposure of sensitive session data and creates additional local handling risk because credential-bearing data is duplicated on disk during processing.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill silently copies Firefox's cookies.sqlite to a temporary file and reads sensitive cookies without any user-facing disclosure or consent. Even though the temp file is deleted in a finally block, this workflow unnecessarily handles live authentication material on disk and increases the chance of credential exposure through crashes, forensic recovery, or future code changes that log or persist the values.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code extracts and emits IP-derived location information from comment reply data into flattened JSONL output. Even if this is coarse geolocation rather than a raw IP address, it is still personal or quasi-personal data that can increase deanonymization, profiling, or compliance risk when exported for later analysis.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The summary output intentionally includes user-identifying fields such as uname and mid, along with location-derived ip_location aggregates and comment previews. In a skill whose stated purpose is exporting and analyzing comments, this creates a privacy risk because downstream consumers receive personal or quasi-personal data without minimization, consent checks, or any code-level safeguards to redact, anonymize, or gate disclosure.

Credential Access

High
Category
Privilege Escalation
Content
4. 把文件放到你方便的位置,例如 `~/Downloads/bilibili_cookies.txt`

**其他导出方式**:
- Firefox:安装 [cookies.txt](https://addons.mozilla.org/firefox/addon/cookies-txt/) 插件,操作类似
- Edge:同 Chrome 插件(Edge 兼容 Chrome 扩展)
- 命令行手动:浏览器 F12 → Application → Cookies → 复制 `SESSDATA` 值,然后 `export BBC_SESSDATA="值"`
Confidence
92% confidence
Finding
firefox/addon/cookies

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal