ClawHub

B站 (bilibili) 热门视频监控

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do the advertised Bilibili report and email workflow, but it asks for powerful account and email credentials and stores them in a local plaintext config file.

Install only if you are comfortable giving the skill a live Bilibili session cookie, an OpenRouter API key, and SMTP credentials. Prefer environment variables or a dedicated low-risk account, avoid command-line secrets, restrict or delete bilibili-monitor.json after use, and confirm the recipients and content before sending email.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill invokes shell commands and Python scripts that read/write local files, access credentials, and use network services, yet it declares no permissions. This weakens platform trust boundaries and informed consent because users and policy engines cannot accurately assess that the skill will touch the filesystem, use secrets, and contact external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The advertised purpose is a Bilibili hot-video daily report, but the workflow also gathers raw Bilibili cookies, OpenRouter API keys, Gmail credentials, sends content to third-party AI providers, and can process broader video/subtitle data than the description suggests. This mismatch is dangerous because users may consent to a simple reporting tool without realizing it performs credential handling and external data transmission.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The helper accepts an unrestricted cookie dictionary and installs all provided cookies into the session, even though the stated skill only needs to read public trending videos and optionally access limited authenticated endpoints. This broadens the credential-handling surface and can unintentionally reuse high-value account cookies for unrelated requests, increasing the risk of credential misuse or over-privileged access if the skill is extended or compromised.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The file implements subtitle enumeration, subtitle download, and subtitle text extraction capabilities that are not disclosed in the skill description about generating a daily hot-video report. Hidden content-retrieval features increase the data-access scope of the skill and can enable collection of full video text content beyond what users would reasonably expect from the advertised functionality.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README says subtitles plus an OpenRouter LLM are used to generate summaries, but it does not clearly warn users that video subtitle/content data will be transmitted to a third-party AI provider for processing. This creates a data-sharing and privacy risk because users may assume processing is local, while subtitles or content-derived text could be sent off-device to external services with different retention or usage policies.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the user to place highly sensitive secrets—raw Bilibili cookies, an OpenRouter API key, and a Gmail app password—into a plaintext JSON file on disk. If that file is read by other local users, malware, backups, logs, or accidental sharing, it could enable account access, API abuse, and unauthorized email sending.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The AI option states that OpenRouter is needed for summaries, but it does not clearly warn that video-derived subtitle/content data will be transmitted to OpenRouter and potentially the selected downstream model vendor. This creates a consent and privacy gap, especially if subtitles or metadata contain sensitive or copyrighted material.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Passing sensitive cookies such as SESSDATA via command-line arguments exposes them to shell history, process listings, job control logs, and potentially other local users on shared systems. Even if the script itself does not print the secrets, this input method materially increases the chance of credential disclosure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Video subtitle text is sent to OpenRouter for summarization without an explicit consent notice or privacy control at the call site/runtime flow. Subtitles can contain personal, proprietary, or otherwise sensitive content, so forwarding them to a third-party LLM creates a real data disclosure risk beyond the local Bilibili/API retrieval context.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The code sends video metadata and AI-generated summaries to an external LLM service without clearly disclosing that this data leaves the local environment. While the metadata is often public, summaries and aggregated context may still reveal sensitive or policy-restricted information depending on the source videos and deployment setting.

Ssd 3

Medium
Confidence
84% confidence
Finding
Untrusted subtitle text is embedded verbatim into the LLM prompt, which can cause sensitive or unsafe content from the source material to be echoed, summarized, or preserved in downstream outputs. In addition, prompt injection content embedded in subtitles may steer the model away from the intended summarization task, degrading output integrity and potentially causing leakage of adjacent prompt context.

External Transmission

Medium
Category
Data Exfiltration
Content
def get_subtitle_info(aid: int, cid: int, sessdata: str = "") -> list:
    """获取字幕信息"""
    url = f"https://api.bilibili.com/x/player/wbi/v2?aid={aid}&cid={cid}"

    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
Confidence
90% confidence
Finding
https://api.bilibili.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal