ClawHub

bilibili-video-search-and-download

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but it can use browser cookies and its downloader is broader than Bilibili-only use.

Install only if you are comfortable with a skill that can run Python tools, install dependencies, contact Bilibili and other URLs accepted by yt-dlp, and write downloaded media locally. Avoid the browser-cookie command unless you explicitly want the agent to access your Chrome session cookies; prefer a narrowly scoped exported cookies file if authenticated downloads are necessary.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs execution of shell commands, network access to Bilibili, and writing files such as `search.json` and downloaded media, yet no permissions are declared. This is dangerous because an agent or reviewer may underestimate the skill's operational reach, reducing user awareness and weakening policy enforcement around filesystem, network, and subprocess use.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script accepts any non-BV argument as a URL and passes it directly to yt-dlp, despite the skill being described as limited to Bilibili content. In an agent setting, this broadens the tool from a site-specific downloader into a generic remote fetch capability, which can bypass policy expectations, access unintended domains, and increase the blast radius of misuse.

Unvalidated Output Injection

High
Category
Output Handling
Content
def download_video(url: str, output_dir: Path):
    output_dir.mkdir(parents=True, exist_ok=True)
    print(f"正在下载: {url}")
    result = subprocess.run(
        [
            sys.executable, "-m", "yt_dlp",
            "-o", str(output_dir / "%(title)s.%(ext)s"),
Confidence
89% confidence
Finding
subprocess.run( [ sys.executable, "-m", "yt_dlp", "-o", str(output

YARA rule 'info_stealer': Information stealer patterns (credential harvesting, browser data theft) [malware]

High
Category
YARA Match
Content
### 6. Filename Handling

yt-dlp keeps Chinese characters and punctuation (【】《》~, etc.) in filenames as-is. This can cause shell globbing issues when using `rm` or other commands. Always quote file paths with double quotes.

### Download Script
Confidence
91% confidence
Finding
cookies-from-browser chrome

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal