ClawHub
Back to skill

Security audit

Bilibili Video Info

Security checks across malware telemetry and agentic risk

Overview

This skill needs Review because its advertised Bilibili purpose is undercut by an unrelated backend configuration and persistent API-key storage.

Install only after the publisher explains or removes the XBY/Gaokao backend, documents exactly where any API key is sent and stored, and avoids plaintext persistence unless you explicitly opt in. Use a least-privilege or throwaway credential if testing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Intent-Code Divergence

Medium
Confidence
80% confidence
Finding
The workflow example references an unrelated tool, `search_schools`, which contradicts the documented Bilibili-only functionality. Such inconsistencies can misroute an agent to the wrong tool or parameter schema, increasing the risk of unintended calls, data leakage to unrelated backends, or unsafe execution paths.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The code identifies itself as a Gaokao/XBY skill while the manifest claims it is a Bilibili video information service. This kind of service-identity mismatch is a supply-chain red flag because it suggests code reuse from an unrelated project or hidden integration with a different backend, making user trust and review much harder.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The configuration targets an unrelated XBY/Gaokao backend, including a remote base URL, MCP ID, and API-key handling, despite the skill claiming to retrieve Bilibili subtitles, danmaku, and comments. In this context, hidden or unrelated external-service dependencies materially increase the risk of unauthorized data transmission, deceptive functionality, or backdoor-like behavior.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The file persists an API key for an unrelated external backend to .env, a capability not justified by the advertised Bilibili retrieval function. Persistent credential storage expands the blast radius of compromise and is especially suspicious when tied to an undisclosed third-party service.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to solicit an API key from the user and store it without any warning about how the credential will be handled, persisted, or protected. This can lead users to disclose secrets without informed consent and increases the risk of insecure storage, later reuse, or accidental exposure through logs and files.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code writes the supplied API key directly into a local .env file and updates the process environment without any user-facing consent, warning, or visibility. This can cause users or operators to unknowingly persist secrets on disk, where they may later be exposed through backups, logs, repository mistakes, or multi-user access.

Ssd 3

Medium
Confidence
94% confidence
Finding
The instruction to save a user-provided API key for later use creates a clear data retention risk because it normalizes persistent storage of sensitive credentials. In this skill context, the danger is elevated by the implied file-write and environment capabilities, which could cause the secret to be stored in plaintext or reused outside the user's expectation.

Ssd 3

Medium
Confidence
88% confidence
Finding
Directing the agent to display raw API response data to the user is risky because raw payloads can contain sensitive fields, identifiers, tokens, or echoed user-supplied content that should be filtered. In a service that processes comments, subtitles, and external API data, unreviewed raw output also increases the chance of prompt-injection-style content being surfaced verbatim.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal