ClawHub

Bilibili User Profile API

Security checks across malware telemetry and agentic risk

Overview

This is a focused Bilibili profile lookup wrapper, but users should treat its token handling and returned profile data carefully.

Install only if you trust JustOneAPI and are comfortable with your API token being used in a query-string based request. Use the minimum necessary profile lookup, avoid sharing logs or URLs that might contain the token, rotate the token if exposed, and do not treat Bilibili profile metadata as proof of identity.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This skill retrieves identity-related profile data, audience metrics, and verification fields about a Bilibili user, but it does not warn users that the response may contain sensitive personal or quasi-personal information. In an agent setting, that omission increases the risk of over-collection, unsafe sharing, or inappropriate downstream use of profile data without user awareness or consent controls.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill defines the API token as a query parameter and later appends all query parameters directly to the request URL. Tokens in URLs are commonly exposed through logs, browser/history artifacts, proxy telemetry, monitoring systems, and error reports, which increases the chance of credential disclosure even when TLS is used.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The skill description is broad and does not clearly limit when the operation should be invoked, which can cause an agent to call it in loosely related contexts. Ambiguous activation scope increases the chance of unnecessary collection of user profile data and unintended use of the external API.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The description claims the API can be used for 'verifying user identity,' but a public platform profile is not a trustworthy identity proof on its own. This framing can mislead downstream agents or users into treating profile metadata and verification badges as authoritative identity evidence, enabling impersonation or unsafe decision-making.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal