ClawHub

Bilibili Video Details API

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a legitimate API integration, but it handles the required access token in a URL query parameter without clear user-facing disclosure of that added exposure.

Install only if you are comfortable giving this skill a JustOneAPI token and having that token sent to the API service in the request URL. Use a scoped token if available, avoid sharing command output that might include URLs, and rotate the token if you suspect it was logged or exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill defines the API access token as a query parameter and automatically appends it to the request URL. Query-string credentials are commonly exposed through logs, browser history, proxy/CDN logs, monitoring systems, referrer leakage, and error reports, making accidental disclosure much more likely than header-based authentication. In this skill context, the danger is increased because the code normalizes all query parameters generically and provides no warning that secrets will be placed in the URL.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The manifest requires an API access token to be sent as a query parameter but provides no user-facing warning about credential handling or network disclosure. Putting credentials in the URL is risky because query strings are commonly logged by clients, proxies, analytics systems, and server infrastructure, increasing the chance of token leakage.

Credential Access

High
Category
Privilege Escalation
Content
"parameters": [
        {
          "defaultValue": null,
          "description": "Access token for the API.",
          "enumValues": [],
          "location": "query",
          "name": "token",
Confidence
96% confidence
Finding
Access token

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal