ClawHub

Deepsop Bilibili 工作台

Security checks across malware telemetry and agentic risk

Overview

This skill matches its Bilibili upload purpose, but it can automatically install and run external code from GitHub or third-party mirrors and can publish videos without a clearly required final confirmation step.

Install only if you are comfortable letting the agent clone and run the social-auto-upload project, download dependencies, and operate a Bilibili account from local login state. Before any upload, verify the exact account, video file, title, description, tags, category, schedule, and whether it will publish or draft, and avoid third-party mirror fallback unless you trust those sources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (29)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"--tags", "足球,测试",
        "--schedule", "2026-03-26 16:00",
    ]
    subprocess.run(command, check=True)


if __name__ == "__main__":
Confidence
70% confidence
Finding
subprocess.run(command, check=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
70% confidence
Finding
Without declared permissions the skill's intent is opaque and cannot be validated.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This markdown file states that the skill will automatically clone a repository and prepare dependencies on first use, which can modify the local system and install software. The README does not present this as a warning or caution, and the surrounding usage text emphasizes convenience rather than disclosing the impact on the user's environment.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This markdown file describes behavior that automatically clones the SAU repository and prepares dependencies, which affects system state and performs network activity. Although the text instructs the agent to do this automatically, it does not clearly warn the user about these side effects or their impact on the local environment.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The markdown states that the skill uploads a Bilibili video, but it does not explicitly warn that using this feature sends user-provided media and related metadata to an external service. For markdown files, behaviors affecting user data or privacy should be clearly disclosed.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This markdown file documents an `upload-video` command, including file path, title, description, tags, and scheduling parameters, but it does not explicitly warn that these inputs will be sent to an external platform. For markdown files, user-facing descriptions should disclose behaviors that may affect user data or privacy; uploading media and metadata to a third-party service meets that threshold.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This markdown file instructs the agent to automatically prepare the environment and explicitly says the agent should not ask the user to manually install or clone. Later steps perform a git clone into the user's home directory, create `conf.py`, and run `uv sync`, but the description does not provide an upfront user warning that the skill may download code, create local files, and modify the local environment.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The instructions say the agent must automatically retry via Gitee and multiple proxy/mirror domains and specifically not ask the user first. Because this changes where the user's network requests go and may expose repository access metadata to third-party services, the markdown should clearly disclose this privacy and integrity impact to the user before doing so.

Natural-Language Policy Violations

Medium
Confidence
86% confidence
Finding
All operational guidance in the file is written in Chinese and includes imperative instructions to the agent, but there is no indication that the user can choose another language or that the skill is intentionally restricted to a Chinese-speaking locale. This can violate language/locale policy when users are not given an opt-in or alternative.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This code constructs and executes a CLI command that uploads a video to Bilibili, which is an external network operation affecting user-controlled content and account state. Although the module docstring describes the file as an upload template, there is no confirmation prompt, logging, or explicit user-facing warning near the execution point to disclose that running the script will perform the upload.

Hidden Instructions

High
Category
Prompt Injection
Content
# Bilibili CLI 契约

**调用前缀**:所有命令都用 `uv run --project <SAU_HOME> python sau_cli.py bilibili ...` 形式运行,`<SAU_HOME>` 是 `~/.openclaw/social-auto-upload`。下面命令为简化只写 `python sau_cli.py bilibili ...`,agent 必须自动加上 `uv run --project <SAU_HOME>` 前缀。详见 `runtime-requirements.md`。
Confidence
60% confidence
Finding
Hidden instructions were detected in comments or invisible text. These could contain malicious directives. Manual review is recommended.

Hidden Instructions

High
Category
Prompt Injection
Content
# 运行前提

本 skill 依赖 [social-auto-upload](https://github.com/dreammis/social-auto-upload) 项目(以下简称 SAU)。OPclaw 内置 `uv` 工具,**自动准备**整个运行环境,agent 不应该让用户手动 pip install 或 clone。
Confidence
60% confidence
Finding
Hidden instructions were detected in comments or invisible text. These could contain malicious directives. Manual review is recommended.

Hidden Instructions

High
Category
Prompt Injection
Content
# Bilibili 常见问题

> 所有 `python sau_cli.py bilibili ...` 命令都需要在 `<SAU_HOME>` (即 `~/.openclaw/social-auto-upload`) 上下文里跑,前缀为 `uv run --project <SAU_HOME>`。详见 `runtime-requirements.md`。
Confidence
60% confidence
Finding
Hidden instructions were detected in comments or invisible text. These could contain malicious directives. Manual review is recommended.

Hidden Instructions

High
Category
Prompt Injection
Content
# 假设 social-auto-upload 已 clone 到 $SAU_HOME,且已经跑过 `uv sync --python 3.12`。
$SAU_HOME = "$env:USERPROFILE\.openclaw\social-auto-upload"

# 登录
Confidence
60% confidence
Finding
Hidden instructions were detected in comments or invisible text. These could contain malicious directives. Manual review is recommended.

Known Vulnerable Dependency: uv — 4 advisory(ies): CVE-2025-54368 (uv allows ZIP payload obfuscation through parsing differentials); GHSA-pjjw-68hj-v9mw (uv vulnerable to arbitrary file deletion through RECORD entries); CVE-2025-13327 (uv allows ZIP payload obfuscation through parsing differentials) +1 more

Low
Category
Supply Chain
Confidence
60% confidence
Finding
uv

Known Vulnerable Dependency: uv — 4 advisory(ies): CVE-2025-54368 (uv allows ZIP payload obfuscation through parsing differentials); GHSA-pjjw-68hj-v9mw (uv vulnerable to arbitrary file deletion through RECORD entries); CVE-2025-13327 (uv allows ZIP payload obfuscation through parsing differentials) +1 more

Low
Category
Supply Chain
Confidence
60% confidence
Finding
uv

Known Vulnerable Dependency: uv — 4 advisory(ies): CVE-2025-54368 (uv allows ZIP payload obfuscation through parsing differentials); GHSA-pjjw-68hj-v9mw (uv vulnerable to arbitrary file deletion through RECORD entries); CVE-2025-13327 (uv allows ZIP payload obfuscation through parsing differentials) +1 more

Low
Category
Supply Chain
Confidence
60% confidence
Finding
uv

Known Vulnerable Dependency: uv — 4 advisory(ies): CVE-2025-54368 (uv allows ZIP payload obfuscation through parsing differentials); GHSA-pjjw-68hj-v9mw (uv vulnerable to arbitrary file deletion through RECORD entries); CVE-2025-13327 (uv allows ZIP payload obfuscation through parsing differentials) +1 more

Low
Category
Supply Chain
Confidence
60% confidence
Finding
uv

Known Vulnerable Dependency: uv — 4 advisory(ies): CVE-2025-54368 (uv allows ZIP payload obfuscation through parsing differentials); GHSA-pjjw-68hj-v9mw (uv vulnerable to arbitrary file deletion through RECORD entries); CVE-2025-13327 (uv allows ZIP payload obfuscation through parsing differentials) +1 more

Low
Category
Supply Chain
Confidence
60% confidence
Finding
uv

Possible Typosquatting: 'test' resembles popular package 'pytest'

High
Category
Supply Chain
Confidence
70% confidence
Finding
test

Possible Typosquatting: 'git' resembles popular package 'pip'

High
Category
Supply Chain
Confidence
70% confidence
Finding
git

Possible Typosquatting: 'git' resembles popular package 'pip'

High
Category
Supply Chain
Confidence
70% confidence
Finding
git

Possible Typosquatting: 'git' resembles popular package 'pip'

High
Category
Supply Chain
Confidence
70% confidence
Finding
git

Possible Typosquatting: 'git' resembles popular package 'pip'

High
Category
Supply Chain
Confidence
70% confidence
Finding
git

Possible Typosquatting: 'git' resembles popular package 'pip'

High
Category
Supply Chain
Confidence
70% confidence
Finding
git

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal