ClawHub

bilibili-reader-skill

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent for summarizing Bilibili favorites, but it deserves review because it stores reusable Bilibili login cookies in plaintext and can hand generated PDFs to external chat platforms.

Install only if you are comfortable giving the skill reusable Bilibili session cookies. Keep the .env file private with restrictive permissions, choose no delivery unless you intentionally want PDFs sent through a chat service, confirm the destination before any send, and periodically delete local history/vector data if you do not want long-term records of your viewed or summarized favorites.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill description implies local summary/PDF generation, but the workflow also supports sending generated PDFs and summaries to third-party messaging platforms. That mismatch can lead to unanticipated disclosure of potentially sensitive user-derived content outside the local environment.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documented workflow includes browser-based login and automatic cookie extraction/storage, which is materially more sensitive than ordinary summarization. Users may not expect the skill to collect session credentials and persist them locally, increasing the risk of credential exposure or misuse.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The function launches a browser, waits for the user to log in, then extracts reusable Bilibili session cookies including SESSDATA and bili_jct. This is credential collection capability, and for a skill whose stated purpose is summarizing favorite videos into a PDF, collecting full account session tokens is broader than necessary and creates account-takeover risk if the tokens are exposed or reused elsewhere.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code persists reusable authentication cookies to a project-local .env file, turning a temporary login into long-lived credential storage on disk. Session cookies such as SESSDATA can often be reused to impersonate the user, so storing them in plaintext increases the chance of theft through local compromise, accidental commits, backups, or log/access by other tools.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The code emits structured delivery instructions for sending the generated PDF and summary to external messaging platforms, creating a clear path for data to leave the local workflow. Even though this function only prints instructions rather than directly transmitting, it normalizes outbound sharing of potentially sensitive derived content without clear user confirmation or destination validation in this file.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README advertises automatic pushing of generated summaries to external platforms such as WeChat, Feishu, Telegram, and Discord, but the nearby description does not clearly warn that video-derived content, comments, danmaku, and possibly sensitive extracted text may be transmitted off-device. Users may enable delivery without understanding that processed content leaves the local environment and is shared with third-party services, creating privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The agent-driven setup says it will guide the user through Bilibili login and configuration, but it does not prominently warn at that point that sensitive session cookies will be collected and persisted locally. Because these cookies are equivalent to account access, users may authorize setup without realizing the credential sensitivity, storage location, or compromise implications.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Broad trigger phrases increase the chance of accidental activation, which is risky here because the skill can access cookies, files, shell commands, and external services. Mis-triggering a high-capability skill can lead to unintended login flows, data access, or outbound actions without clear user intent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs automatic acquisition and storage of Bilibili cookies in a local .env file but does not provide strong warning about plaintext secret storage, local compromise risk, or account takeover implications. Session cookies are highly sensitive credentials and should be treated like passwords.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Allowing automatic PDF transmission to third-party platforms without strong warnings about destination defaults and privacy implications can expose private viewing preferences, summaries, or account-derived content. The risk is elevated because the output is generated from user-specific Bilibili data and may contain sensitive interests or notes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The notes explicitly instruct use of authenticated `Cookie` headers containing session tokens such as `SESSDATA` and `bili_jct`, but provide no safeguards for secret storage, redaction, scoping, or user consent. In an agent setting, this creates a real risk of credential leakage through logs, prompts, error messages, subprocess inspection, or unintended transmission, which could enable account takeover or unauthorized access to private Bilibili data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill saves sensitive account cookies to disk without an explicit warning at the point of action that reusable credentials will be persisted locally. Users may reasonably believe they are only logging in interactively for the current session, not authorizing durable storage of account tokens, which undermines informed consent and increases the chance of unsafe handling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The curl fallback manually forwards SESSDATA, bili_jct, and buvid3 in a Cookie header to whatever URL is passed into _curl_get. Because this helper is also used for subtitle retrieval where the URL can originate from remote API response data, a malicious or compromised upstream response could cause authenticated cookies to be sent to a non-Bilibili host, leaking account credentials/session material.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The manual setup flow asks the user to paste live Bilibili session cookies and stores them in a plaintext .env file. These values are authentication secrets; if the file is exposed through local compromise, backups, logs, repository commits, or weak file permissions, an attacker could reuse the session to access the user's account data.

Ssd 3

Medium
Confidence
94% confidence
Finding
Using conversation context as the default delivery target creates a real risk of sending generated files or summaries to unintended recipients or third-party channels. Because the content is derived from user account data, a mistaken or implicit target selection can become an immediate privacy breach.

Ssd 3

High
Confidence
97% confidence
Finding
The skill instructs the agent to parse `[DELIVERY]` directives from program output and then perform external sends. Program output is untrusted data; if influenced by upstream content, prompts, fetched metadata, or a compromised script, it can inject arbitrary delivery instructions and exfiltrate files or summaries to attacker-chosen destinations.

Credential Access

High
Category
Privilege Escalation
Content
print("  1. 登录 https://www.bilibili.com")
        print("  2. 按 F12 打开开发者工具 → Application → Cookies → bilibili.com")
        print("  3. 复制 SESSDATA、BILI_JCT、BUVID3 的值")
        print("  4. 更新项目根目录的 .env 文件")
        print("=" * 55)
        return False
Confidence
77% confidence
Finding
.env

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal