ClawHub

Bilibili Subtitle Downloader

Security checks across malware telemetry and agentic risk

Overview

The skill is a real Bilibili subtitle downloader, but it saves reusable Bilibili login sessions in local plaintext files without enough scoping, protection, or cleanup guidance.

Review before installing. Only scan the Bilibili QR code in a workspace you trust, because the skill saves reusable account cookies locally. After use, consider deleting ~/.openclaw/workspace/bilibili_cookie.txt and bilibili_cheese_session.json, and avoid passing untrusted or malformed video IDs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Tainted flow: 'target_url' from requests.get (line 106, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
if target_url.startswith('//'):
        target_url = 'https:' + target_url
    
    resp = requests.get(target_url)
    body = resp.json().get('body', [])
    full_text = "\n".join([b.get('content', '') for b in body])
    return full_text
Confidence
88% confidence
Finding
resp = requests.get(target_url)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation instructs the agent to execute Python scripts, access local files, write output and cookies, and make network requests, yet it declares no permissions. This creates a transparency and policy-enforcement gap: users and platforms cannot accurately assess or constrain the skill's real capabilities before use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior materially exceeds the stated purpose: it performs QR-based login, persists Bilibili cookies locally, and accesses Cheese course content while claiming only subtitle download/splitting/summarization for BV IDs or URLs. This mismatch can mislead users into authorizing account access and local credential storage they did not expect, increasing the risk of privacy violations and misuse of paid-content access.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill performs QR-code account login and obtains persistent authenticated credentials even though its stated purpose is subtitle retrieval and summarization. Expanding from public-content processing to account-bound session handling increases exposure of user credentials and authenticated access surface, especially in agent environments where local files or console outputs may be visible to other components.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly saves Bilibili login cookies to a local file in the user's home workspace without any warning about persistence, reuse, theft risk, or session scope. Stored session cookies are sensitive credentials; if another process, agent, or user can read that file, the Bilibili account may be hijacked or abused without re-authentication.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code writes session cookies to a predictable local JSON file in plaintext without warning the user or applying any protection. If the host is shared, compromised, or logs/workspace artifacts are exposed, an attacker could reuse the cookies to access the user’s Bilibili account session.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script persists authenticated Bilibili cookies to a fixed file under the user's home workspace with no permission hardening, expiry handling, or user disclosure. Anyone with access to that file or workspace can reuse the session to access the user's Bilibili account, making this a credential exposure issue rather than a harmless convenience feature.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal