Security audit

biliup-skills

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended for Bilibili video uploads, but it can install packages, store account credentials, download arbitrary URLs, and post publicly with limited guardrails.

Install only if you are comfortable letting the agent install Python packages, create and retain a Bilibili login token in cookies.json, download media from provided URLs, and post videos to your account. Use it in a trusted workspace, keep cookies.json out of git, avoid untrusted URLs, and require a final review before upload.

SkillSpector

By NVIDIA

Vulnerability Patterns

Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: from PIL import Image # noqa: F401 except ImportError: print("📦 安装 qrcode[pil] 依赖...", file=sys.stderr) subprocess.run( [sys.executable, "-m", "pip", "install", "-q", "qrcode[pil]"], check=True, )
Confidence: 86% confidence
Finding: subprocess.run( [sys.executable, "-m", "pip", "install", "-q", "qrcode[pil]"], check=True, )

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill instructs the agent to execute shell commands including package installation, login, file downloads, and uploads, but does not declare any permissions. This creates a transparency and policy-enforcement gap: the platform or user may not realize the skill can run privileged local actions, making misuse or accidental unsafe execution more likely.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 85% confidence
Finding: The documented behavior exceeds and diverges from the stated description, including extra dependency installation and QR image generation, while the promised end-to-end upload flow is only partially implemented. Description-behavior mismatch is dangerous because users and policy systems may authorize the skill for one purpose while it performs additional local writes, installs, or other actions they did not expect.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The workflow permits downloading arbitrary user-supplied URLs with curl into local storage. This expands the skill from Bilibili upload assistance into general remote content retrieval, which can be abused to fetch untrusted or oversized content, trigger SSRF-like access to internal resources depending on environment, or consume disk/network resources.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The documentation states that the script does not collect or transmit any user data, but the code may contact external package repositories to install dependencies. Even if no credentials are intentionally uploaded, this is a misleading security claim that can cause operators to underestimate network activity and trust implications during execution.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal