Security audit

Xby Bilibili

Security checks across malware telemetry and agentic risk

Overview

This Bilibili skill is mostly an API wrapper, but it stores a user API key locally and relies on a third-party backend with several copy-paste inconsistencies that warrant review.

Install only if you are comfortable giving a xiaobenyang API key to this skill and having it stored in a local .env file. Review the backend dependency and copy-paste mismatches first, avoid using shared or committed project directories for the saved key, and remove XBY_APIKEY from .env when you no longer need the skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill documentation instructs the agent to read environment/config values, persist an API key locally, and call external services, but it does not declare corresponding permissions. This creates a transparency and consent gap: users may not realize the skill can access local configuration, write secrets to disk, and perform network operations, increasing the risk of unintended secret exposure or over-broad execution.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The skill is presented as a Bilibili API service, but the instructions reveal additional behavior: collecting a user-supplied API key, persisting it locally, and relying on a third-party 'xiaobenyang' service rather than a clearly described direct Bilibili integration. This mismatch undermines informed consent and can mislead users about where their data and credentials are sent.

Intent-Code Divergence

Medium

Confidence: 85% confidence
Finding: The workflow example references an unrelated function `search_schools` in a skill claimed to be for Bilibili operations. Cross-domain inconsistencies like this are a supply-chain red flag because they suggest copy-paste reuse from another project, making it harder to verify what code will actually run and increasing the chance of unintended or hidden functionality.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The configuration clearly targets a different service namespace and endpoint than the declared skill, indicating a supply-chain/integrity mismatch. This can cause the skill to send credentials or requests to an unintended backend, undermining trust and potentially exposing data to the wrong service.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill requires the user to provide an API key and instructs the agent to save it via `set_api_key`, but it does not warn the user that the secret will be persisted in configuration/.env. Storing secrets without explicit notice can lead to accidental disclosure, unsafe local retention, and consent violations, especially on shared systems.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The function persists the API key to a local .env file automatically, without explicit user consent, secure storage controls, or visibility into the persistence behavior. Secrets written to project files are commonly leaked via source control, backups, logs, or broader filesystem access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal