ClawHub

B站(bilibili)视频分析专家

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its Bilibili video-analysis purpose, but it ships and preserves raw unmoderated social-media text that may include unsafe content and lacks clear moderation or retention controls.

Install only if you are comfortable with a tool that fetches and may locally retain public Bilibili comments and danmaku. Before use, delete bundled cache files, use --no-cache when persistence is not needed, avoid bulk scraping, and review or filter raw comments before redisplaying them in reports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (9)

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The guide documents collecting comments and user profile data such as user IDs, usernames, avatars, signatures, and interaction metadata without any privacy, minimization, or compliance warning. In an agent skill context, this can normalize bulk scraping and downstream processing of personal data, increasing the risk of privacy abuse or policy-violating data collection.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The JSON contains user-generated danmaku advocating retaliatory violence against Europeans. Even though this is archived content rather than executable code, storing and potentially redisplaying violent extremist rhetoric can facilitate dissemination of hate or violent incitement through downstream systems that consume this cache.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
This finding corresponds to natural-language content explicitly calling to burn Europe in retaliation. In the context of a cached social-media transcript, the danger is content-safety related: downstream applications may surface, index, train on, or amplify direct calls for mass retaliatory violence.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The dataset includes a direct call to exterminate a targeted group using dehumanizing language. That is dangerous because cached harmful rhetoric can be replayed by applications, recommendation systems, search indexes, or AI training/evaluation pipelines, increasing the risk of normalization or amplification of violent hate speech.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script writes extracted video metadata, danmaku, and comments to a local cache file automatically, without clear user notice or consent. While this is not remote code execution or direct exfiltration, it can create privacy and data-handling risks because potentially sensitive browsing targets and retrieved content are persisted on disk unexpectedly.

Ssd 2

High
Confidence
97% confidence
Finding
This is a paraphrased retaliation call advocating violence against Europe, and it appears to overlap the same unsafe user-generated content identified by the SQP finding. The main risk is not code execution but unsafe content propagation: systems consuming this file may publish, rank, or learn from extremist retaliation language.

Ssd 2

High
Confidence
99% confidence
Finding
This finding flags a natural-language call to burn Europe in retaliation present in user comments. In this skill context, the file is a cache of external content, which makes the issue more dangerous because untrusted third-party text is being preserved and may be reused in downstream contexts without moderation.

Ssd 2

High
Confidence
99% confidence
Finding
The file contains explicit non-standard phrasing urging the burning of Europe, which is still a clear call for violence. Because this content is inside a machine-readable JSON cache, it can be silently ingested by other services, making moderation bypass and harmful-content reuse more likely.

Ssd 2

High
Confidence
98% confidence
Finding
This finding captures a dehumanizing call for extermination of a targeted group. The skill context increases risk because this appears to be unmoderated user-generated content in a cached artifact, which could be redistributed, indexed, or incorporated into model inputs and outputs without safeguards.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal