Security audit

IG Link To Bili

Security checks across malware telemetry and agentic risk

Overview

The skill is purpose-aligned for reposting Instagram videos to Bilibili, but it asks agents to use local browser session cookies and store them without enough safety boundaries.

Review before installing. Only use this with a Bilibili account you are comfortable posting from, and do not run cookie setup unless you understand it will read local browser session cookies and store them locally. Keep credentials.json out of version control and logs, restrict its file permissions, delete or rotate it when done, and be aware that this artifact references upload scripts that are not included for review.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (6)

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The documentation instructs the agent to add rejected authors to a runtime blacklist even though the skill manifest explicitly says it does not perform author blacklist behavior. This is a security-relevant integrity issue because the implementation guidance contradicts declared behavior, creating hidden filtering logic that users and operators would not expect.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs the operator to extract Bilibili cookies from a local browser and write them into a credentials file, but the activation/description does not present a prominent user-facing warning about that sensitive action. This creates a consent and transparency problem: a user could invoke a repost workflow without understanding that browser session credentials will be harvested and persisted locally.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The document embeds a credential-bearing cookie example containing session-related fields such as SESSDATA, bili_jct, and DedeUserID without any masking guidance or handling warning. Even if partially redacted, this normalizes copying live auth material into docs and terminals, increasing the chance of credential leakage through version control, logs, screenshots, or reuse of real tokens.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The document recommends extracting browser cookies and writing them to credentials.json without any warning about the sensitivity of session tokens or the risk of local compromise. These credentials can grant account access, so normalizing their extraction and storage without handling guidance increases the chance of credential leakage or misuse.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The troubleshooting steps instruct users to print or inspect credential values from credentials.json, which can expose session data in terminal scrollback, shell history, screenshots, logs, or shared support transcripts. Even partial token disclosure can materially aid account compromise or reduce the secrecy of authentication material.

Ssd 3

High

Confidence: 97% confidence
Finding: The example exposes authentication material in plain text context by showing concrete cookie field names and values in a shell command. In a skill that automates uploads to Bilibili, those tokens directly relate to account access, so accidental disclosure could enable session hijacking or unauthorized actions if copied from a real account.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal