Check the latest videos and updates of Bilibili ups and see if they have updated today

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its Bilibili update-checking purpose, but it asks for full logged-in Bilibili browser cookies without enough scoping or safety warning.

Review before installing. Use this only if you are comfortable giving a local script your logged-in Bilibili cookies; prefer a temporary or low-privilege session, avoid pasting cookies into shared prompts or logs, and delete user_cache.json if you do not want local creator-search history retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill invokes Python scripts that use environment variables, local caching, and network access, but it declares no permissions or trust boundaries. This is dangerous because the agent may handle sensitive cookies, write local files, and make outbound requests without explicit user awareness or policy enforcement, increasing the risk of credential exposure and unintended data access.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose is a simple update checker, but the described behavior expands into account-cookie use, local caching, user search, profile lookup, and subtitle retrieval/download. This mismatch is dangerous because users and reviewers may authorize a seemingly narrow skill while it performs broader data collection and account-scoped operations than expected.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The skill manifest says it checks an uploader’s latest videos/dynamics and whether they updated today, but this code also retrieves subtitle metadata and downloads subtitle text. That expands data access beyond the declared purpose and can expose much more content than users would reasonably expect, increasing privacy and scope-creep risk even if the source is Bilibili.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The script requires full Bilibili cookies from the BILIBILI_COOKIES environment variable even though its stated purpose is only to view public uploader updates. Requesting account-authentication material expands the trust boundary unnecessarily and creates credential-exposure risk if the skill, its dependencies, logs, subprocesses, or surrounding agent framework mishandle environment variables.

Intent-Code Divergence

Low

Confidence: 85% confidence
Finding: The help/error text tells users to provide a non-existent --cookies parameter, while the code actually only reads BILIBILI_COOKIES from the environment. This mismatch can mislead users into pasting sensitive cookies more broadly during troubleshooting and obscures how credentials are really consumed, which is a security-relevant design/documentation flaw.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README instructs users to copy their full Bilibili Cookie header from browser developer tools and place it into an environment variable, but it does not clearly warn that cookies are highly sensitive session credentials that may grant account access. This creates a realistic risk of credential mishandling, accidental disclosure in shell history/process listings/logs, or reuse of overly broad session tokens when a narrower authentication method may be possible.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger words include broad everyday terms like “B站”, “UP主”, and “最新视频”, which can cause accidental invocation in unrelated conversations. Because this skill uses authenticated cookies and network access, unintended triggering can lead to unnecessary external requests and exposure of account-scoped behavior without clear user intent.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs users to export full Bilibili cookies from browser developer tools, but it does not provide strong warnings about credential sensitivity, storage risks, session hijacking, or least-privilege handling. Cookies often grant authenticated account access, so mishandling them can expose personal data or allow unauthorized actions under the user's account.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The client accepts arbitrary authentication cookies, including SESSDATA and bili_jct, and automatically attaches them to requests to .bilibili.com. These are sensitive account credentials; mishandling them can enable authenticated requests, account takeover risk if exposed elsewhere, and unexpected use of a user’s logged-in session without clear consent or disclosure.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script explicitly instructs users to extract full browser Cookie headers from developer tools and supply them to the program, without warning that these values can grant account access. In an agent-skill context, asking for full session cookies is especially risky because users may hand over reusable authentication material for a task that appears read-only and low-risk.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal