ClawHub

Bilibili Video Captions API

Security checks across malware telemetry and agentic risk

Overview

This is a focused Bilibili captions API helper with a real token-handling caveat but no hidden or unrelated behavior.

Install only if you are comfortable with your JustOneAPI token being sent in the request URL. Prefer a scoped or disposable token if available, avoid sharing logs or errors that may include full URLs, and rotate the token if you suspect exposure.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill defines the API access token as a query parameter and injects it into the request URL. Query-string credentials are commonly exposed in logs, browser/history tooling, proxy caches, observability systems, and error reports, making accidental credential disclosure more likely even when HTTPS is used.

Credential Access

High
Category
Privilege Escalation
Content
"parameters": [
        {
          "defaultValue": null,
          "description": "Access token for the API.",
          "enumValues": [],
          "location": "query",
          "name": "token",
Confidence
98% confidence
Finding
Access token

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal