ClawHub

📺 Bilibili Skill

Security checks across malware telemetry and agentic risk

Overview

This is a real Bilibili automation skill, but it gives an agent broad authenticated control over a user's account and public content with limited safeguards.

Install only if you are comfortable letting an agent act through your Bilibili session. Use a low-risk account, protect or avoid the plaintext cookie file, review and pin the external CLI/MCP code before enabling it, and require manual approval before any post, delete, repost, like, or batch operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The skill documents a concrete root-local path where authentication cookies are stored, which normalizes credential-at-rest handling in a predictable location. While this is not an exploit by itself, it increases the chance of accidental disclosure, unsafe file permissions, or downstream tooling reading sensitive tokens from a known path.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill exposes a destructive delete operation for Bilibili posts without clearly warning that the action may be irreversible or require confirmation. In an agent context, this raises the risk of unintended account actions and content loss if the command is invoked automatically or with incorrect identifiers.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs users to pass and store live authentication cookies but does not clearly emphasize that these values are account secrets equivalent to session tokens. In an agent or shared-shell environment, this can lead to credential leakage through shell history, logs, copied examples, or insecure files.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The environment variable examples include realistic-looking credential values and do not warn about secret handling, which may encourage copy-paste of live tokens into shell profiles or chat logs. This is especially risky in agent workflows where environment variables may be inherited by subprocesses or exposed in diagnostics.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The wrapper directly loads long-lived Bilibili authentication cookies from environment variables or a plaintext local file and passes them to another program, but provides no safeguards, warnings, permission checks, or minimization of exposure. In an agent/skill environment, this increases the risk of credential leakage through workspace file access, shell history, process inspection, logs, or reuse by other tasks, which can lead to account takeover or unauthorized actions on the user's Bilibili account.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
import time

for content in ["第一条", "第二条", "第三条"]:
    subprocess.run(f"bilibili-wrapper.sh dynamic publish --content '{content}'", shell=True)
    time.sleep(3)  # 避免风控
```
Confidence
94% confidence
Finding
subprocess.run(f"bilibili-wrapper.sh dynamic publish --content '{content}'", shell=True

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal