ClawHub

bilibili-cli

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Bilibili CLI, but it should be reviewed because it automatically uses local browser session cookies and can perform real account actions.

Install only if you are comfortable letting the skill access your local Bilibili browser session and store those credentials locally. Use it in read-only workflows by default, require explicit approval for posts, deletes, likes, coins, triple actions, unfollows, and file-to-post operations, and run `bili logout` if you want to remove the saved credential.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill exposes capabilities including shell, network, file read/write, and environment access, but does not declare permissions or boundaries. In an agent setting, this weakens user awareness and consent, making it easier for the skill to perform sensitive actions such as reading local credentials, writing files, or invoking mutating commands without clear authorization.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The description emphasizes browsing and token-efficient output, but the documented behavior includes credential discovery, credential storage, account management, posting/deleting content, social interactions, and audio download/write operations. This mismatch is dangerous because users or orchestrating agents may treat the skill as read-only when it can actually access secrets and perform irreversible or reputation-affecting account actions.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The module adds authentication persistence, browser cookie harvesting, and QR login flows to a skill described primarily as a browsing-oriented CLI. That scope expansion increases trust and data-access exposure beyond what a user may reasonably expect from the published capability description.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The code silently inspects local browser cookie stores and extracts Bilibili session cookies, which are authentication secrets. In an agent-skill context, this is dangerous because it enables takeover of an existing logged-in session without a fresh login prompt, expanding access to private account data and actions.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The CLI advertises and registers multiple state-changing commands such as login/logout, dynamic posting/deletion, likes, coins, follows, and other account/social interactions, while the skill description emphasizes browsing-oriented functionality. This mismatch can mislead an agent or operator into granting broader trust than warranted, increasing the risk of unintended actions on a user's account if the skill is invoked automatically or with ambient credentials.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill metadata describes a terminal browsing client, but this file also exposes state-changing account operations such as follow/unfollow, posting and deleting dynamics, likes, coins, and triple actions. That scope expansion is security-relevant because an agent or user expecting read-only behavior may unknowingly authorize mutations to a real Bilibili account, increasing risk of unintended account actions or abuse if invoked by higher-level automation.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The advertised purpose is token-efficient browsing, but this code downloads media and writes files to local disk, then further processes audio into segmented WAV files. That materially expands the trust boundary from remote data retrieval to local filesystem modification and media handling, which can surprise callers, consume disk space, and create persistence of fetched content beyond the stated browsing use case.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Audio download and splitting are not justified by the stated browsing-focused skill description and introduce additional attack surface through network retrieval, file creation, and media decoding via PyAV. In an agent setting, unjustified capability expansion is dangerous because it enables unexpected data persistence and resource consumption that a caller may not have consented to.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This command materially expands the skill from a browsing-oriented Bilibili CLI into downloading media to the local filesystem and post-processing it into ASR-ready audio segments. In an agent setting, that increases the capability surface from read-only content retrieval to persistent file creation and media transformation, which can enable unapproved data exfiltration workflows, disk consumption, and downstream transcription of copyrighted or sensitive content.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This file implements write-capable commands to publish and delete Bilibili dynamics even though the skill metadata describes a browse-oriented CLI for viewing content. In an agent context, this capability expansion is dangerous because a caller expecting read-only behavior could be induced to perform irreversible account actions, including public posting or content deletion, once authenticated with write-capable credentials.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The --from-file option reads arbitrary local file content and submits it as a posted dynamic, which is not necessary for a browsing-focused skill. In an agent setting, this creates a local file exfiltration path: a prompt or workflow could cause sensitive local data to be read and published to a remote service under the user's account.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
These tests document functionality for posting and deleting dynamics, which are write-capable account actions and go beyond the skill's stated browsing-oriented description. That mismatch is dangerous because agents or users may grant trust based on a read-only mental model while the skill can actually modify account state.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
These tests reveal additional account-modifying commands such as like, coin, triple, and unfollow that are not reflected in the browsing-focused description. In an agent setting, undisclosed social/account actions materially increase risk because an agent may trigger reputation-affecting or irreversible actions under the assumption the skill only reads public data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill documents commands that can post content, delete dynamics, like, coin, favorite, and unfollow without prominent warnings, confirmation requirements, or guidance to obtain explicit user consent first. In agent-driven workflows, this creates a real risk of unintended account modification, financial-like spend of limited platform resources, or social actions being executed automatically.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The browser-cookie extraction path runs automatically with no explicit user-facing warning or confirmation. Accessing local browser-stored credentials without informed consent is a security and privacy issue, especially in an AI-agent tool where users may not realize local secrets are being read.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The function deletes a dynamic immediately when called and contains no built-in confirmation, warning, or secondary safeguard. In an LLM-agent workflow, a mistaken tool call, prompt injection, or ambiguous user request could therefore cause irreversible account-side content deletion with little friction.

YARA rule 'info_stealer': Information stealer patterns (credential harvesting, browser data theft) [malware]

High
Category
YARA Match
Content
bili login                     # QR code login (if not authenticated)
```

Authentication auto-detects local browser cookies (Chrome/Firefox/Edge/Brave). If cookies are found and valid, no manual login needed. Credentials are saved to `~/.bilibili-cli/credential.json`.

## Command Reference
Confidence
90% confidence
Finding
cookies (Chrome/Firefox/Edge

VirusTotal

No VirusTotal findings

View on VirusTotal