Bilibili User Published Videos API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JustOneAPI helper for reading Bilibili video data, but users should understand its API token is passed through command arguments and the request URL.

Install only if you trust JustOneAPI and are comfortable using a JustOneAPI token for this endpoint. Keep the token in the environment variable, avoid sharing command lines or logs that include it, and rotate the token if you think process listings, shell history, proxy logs, or API logs may have captured it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill accepts the API token via a CLI argument and places it into the URL query string, which exposes the credential in shell history, process listings, logs, proxies, analytics systems, and server access logs. Although the request uses HTTPS, query-string secrets are routinely captured by intermediaries and observability tooling, making this a real credential-handling flaw rather than a harmless implementation detail.

Credential Access

High

Category: Privilege Escalation
Content: "parameters": [ { "defaultValue": null, "description": "Access token for the API.", "enumValues": [], "location": "query", "name": "token",
Confidence: 90% confidence
Finding: Access token

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal