ClawHub

bilibili summary skill

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do what it advertises, but it handles live Bilibili login cookies in plaintext and uses them too broadly for a final clean approval.

Install only if you are comfortable giving this skill access to a Bilibili login session. Use it in a private workspace, do not paste cookies into chat, do not commit or share cookie.txt, delete the cookie when finished, and invoke it only when you explicitly want Bilibili subtitle retrieval or analysis.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Tainted flow: 'sub_url' from requests.get (line 229, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
continue
                if sub_url.startswith("//"):
                    sub_url = "https:" + sub_url
                body = requests.get(sub_url, headers=headers, timeout=10).json()
                if "body" in body:
                    return body["body"]
    except Exception:
Confidence
88% confidence
Finding
body = requests.get(sub_url, headers=headers, timeout=10).json()

Tainted flow: 'sub_url' from requests.get (line 229, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
if sub_url.startswith("//"):
                    sub_url = "https:" + sub_url
                if sub_url:
                    body = requests.get(sub_url, headers=headers, timeout=10).json()
                    if "body" in body:
                        return body["body"]
    except Exception:
Confidence
88% confidence
Finding
body = requests.get(sub_url, headers=headers, timeout=10).json()

Tainted flow: 'sub_url' from requests.get (line 229, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
sub_url = "https:" + sub_url

            print("⬇️  正在下载字幕...")
            body = requests.get(sub_url, headers=headers, timeout=10).json().get("body")

        if not body:
            return None, "❌ 获取字幕失败:返回数据为空"
Confidence
90% confidence
Finding
body = requests.get(sub_url, headers=headers, timeout=10).json().get("body")

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger guidance is overly broad: phrases like mentioning a bilibili link "even casually" can cause the skill to activate in many normal conversations that are not explicit requests to process video content. In an agent environment, this can lead to unexpected tool invocation, unintended network access, and unnecessary handling of user-linked content or local login state (such as cookies), increasing privacy and security risk.

Vague Triggers

High
Confidence
96% confidence
Finding
The trigger guidance is overly broad: it says the skill must activate for nearly any mention of Bilibili links, subtitles, summaries, or even a casual mention of a bilibili URL. This can cause the agent to invoke credential-dependent workflows unexpectedly, leading to unnecessary network access, file writes, or prompting users for sensitive login material in contexts where they did not intend to use this skill.

Missing User Warnings

High
Confidence
98% confidence
Finding
The documentation explicitly tells users to manually extract sensitive `SESSDATA` and `bili_jct` cookies and store them in `cookie.txt`, but does not provide adequate warnings about account takeover risk, token scope, local plaintext storage, or safe handling practices. Because these cookies can authenticate the user to Bilibili, exposing or mishandling them could let another party impersonate the account or access account-linked resources.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script writes active Bilibili authentication material (SESSDATA and bili_jct) to a plaintext local file without an explicit warning about its sensitivity or any protection on file permissions. If another local user, process, backup system, or malware can read that file, the credentials could be reused to access the user's account session and perform authenticated actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script loads a raw Cookie from disk and automatically attaches it to outbound requests, but it does not present a clear warning about credential sensitivity, privacy impact, or risks of reuse on secondary URLs. In this skill's workflow, obtaining subtitles may require login, so users are likely to provide real session cookies, making accidental leakage or unsafe storage more consequential.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal