bilibili-search

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Bilibili search wrapper that sends a user-provided keyword to a local API service, with no evidence of hidden file access, credential use, persistence, or destructive behavior.

Before installing, review and trust the separate local FastAPI/Playwright service you run on port 8000, because that component performs the actual browser automation and Bilibili access. Be aware that search keywords can be sent to that local service automatically by the agent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly describes a locally hosted FastAPI service and a headless Playwright browser that perform real-time retrieval from Bilibili, but it does not clearly disclose to users that invoking the skill causes live outbound network requests and data collection from a third-party site. This can undermine informed consent, surprise users in restricted environments, and create privacy, compliance, or policy issues when the agent operates on a local machine or server.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal