ClawHub

Bilibili Garb

Security checks across malware telemetry and agentic risk

Overview

This Bilibili garb skill is mostly purpose-aligned, but it asks users to capture and store powerful Bilibili account session credentials, so it needs Review before installation.

Install only if you understand the Bilibili account risk. Do not share the workspace or config file, avoid putting real tokens in shell commands or logs, prefer a limited/throwaway account, and rotate or revoke credentials after use. Treat the traffic-capture instructions as high-risk and potentially against platform expectations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill exposes significant capabilities—environment access, file read/write, shell, and network use—without declaring permissions or constraining their use. In this context, the omission is risky because the skill also handles sensitive credentials and writes local result files, so users and the platform cannot accurately assess or sandbox what the skill can access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose sounds like ordinary garb metadata lookup, but the skill behavior includes loading highly sensitive account credentials, constructing signed mobile API requests, and performing authenticated user-specific scans with persistent local storage. That mismatch is dangerous because it can mislead users into granting or supplying secrets for what appears to be a low-risk data utility, increasing the chance of credential misuse or unexpected account-impacting behavior.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The setup directs users to capture credentials from Bilibili mobile app HTTP traffic, including app secrets and access tokens, which is a sensitive interception workflow not justified by a simple garb-data collection task. This encourages unsafe credential harvesting practices that can violate platform security expectations and expose account tokens to theft, reuse, or accidental disclosure.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The document explicitly instructs users to obtain `access_key`, `SESSDATA`, `bili_jct`, and related credentials from intercepted mobile traffic and cookies. That goes beyond normal API reference material and facilitates credential harvesting and authenticated access to a user's account-scoped data, increasing the risk of account compromise, privacy violations, and misuse of unofficial APIs.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The signing section provides a complete recipe for emulating authenticated mobile API requests, including parameter construction and MD5 signing with an app secret obtained from the client. In context, this materially enables bypass of intended access boundaries for private endpoints and operationalizes unauthorized access to account-level resources.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The reference expands from simple garb lookup into authenticated enumeration of user assets, collection ownership, held cards, and transfer records. That broadens the skill from benign metadata retrieval to account-level surveillance and inventory access, which is more sensitive and more easily abused if credentials are available.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The SOP explicitly instructs operators to use a man-in-the-middle proxy to intercept mobile HTTPS traffic and extract live credentials, including app secrets, access tokens, and session cookies. That is a credential-harvesting workflow, not a normal data-query procedure, and it materially increases the chance of account compromise, unauthorized API use, and secret reuse beyond the stated garb-management purpose.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The SOP shows how to use intercepted credentials and full session cookies to call authenticated endpoints directly, expanding the skill from public metadata collection into account-authenticated access. Even if intended for the owner's account, embedding this pattern normalizes unsafe handling of powerful credentials and can facilitate unauthorized access if reused or copied.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill asks for SESSDATA, access_key, csrf token, UID, and appsecret without any warning about the sensitivity of these values or the consequences of exposing them. In a skill that also uses shell, files, and network access, this materially raises the risk of account compromise, session hijacking, unauthorized API use, and leakage of personally linked account data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation tells operators to obtain authentication material via packet capture and cookies but provides no warning about legal, privacy, account security, or token-handling risks. This omission normalizes unsafe credential practices and increases the chance that sensitive session data will be mishandled or exposed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Recommending periodic recapture of mobile traffic to refresh `access_key` encourages repeated credential interception without discussing compliance, consent, or secure handling. In this context, it operationalizes an unsafe process for sustained access to authenticated APIs rather than a one-off reference note.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document tells users to capture and update live credentials without any warning about account takeover risk, privacy exposure, token scope, or safe handling requirements. Omitting these safeguards makes misuse and accidental disclosure significantly more likely, especially for non-expert operators following the SOP literally.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The example curl command places sensitive tokens in the URL and headers, which can leak via shell history, terminal scrollback, logs, monitoring tools, browser/proxy history, and process listings. Providing a ready-to-run example without warning or safer alternatives encourages operators to expose active session material unintentionally.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When --debug is enabled, the script prints the full request parameters, which include access_key, csrf, and account-linked identifiers after signing. These values may end up in terminal history, CI logs, shared screenshots, or centralized log systems, enabling credential reuse or account session abuse if exposed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal