Bilibili Downloader

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Bilibili downloader, but users should handle Bilibili session cookies and download paths carefully.

Install only if you need Bilibili downloading and trust the publisher. Use a normal downloads folder, do not run the scripts as administrator/root, and treat BILIBILI_SESSDATA like a password: do not paste it into chats, logs, screenshots, shared shells, or committed files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs users to export a live Bilibili session cookie into an environment variable without warning that SESSDATA is a sensitive authentication secret. In agent or shared-shell environments, environment variables can be exposed through logs, subprocess inheritance, debugging output, or accidental reuse, which could enable account takeover or unauthorized access to premium content.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The guide tells users to place the Bilibili SESSDATA session cookie into an environment variable and directly into code, but it does not warn that this value is an authentication secret equivalent to a logged-in session. In an agent or automation context, users may paste real session cookies into scripts, shells, logs, screenshots, or shared environments, increasing the risk of credential leakage and account misuse.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal