AI B站信息源

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its Bilibili AI report purpose, but it needs Review because it can create recurring scheduled jobs, persist an API key locally, and includes broad people-investigation guidance.

Review before installing. Only use this with a RedFox API key you can revoke, avoid enabling subscription unless you are comfortable with a daily scheduled job, and check/remove the LaunchAgent or crontab entry if you disable it. Do not use the background-investigation templates on private individuals or sensitive personal matters without a clear lawful and ethical basis.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (25)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: plist_path.write_text(plist_content, encoding="utf-8") try: subprocess.run(["launchctl", "load", str(plist_path)], check=True, capture_output=True) info("订阅成功! 每天 09:00 自动生成B站爆款日报") info(f"日报目录: ~/Downloads/QoderReports/") info(f"日志: {log_path}")
Confidence: 85% confidence
Finding: subprocess.run(["launchctl", "load", str(plist_path)], check=True, capture_output=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: script_path = os.path.abspath(__file__) cron_line = f"0 9 * * * /usr/bin/python3 {script_path} --no-open" try: subprocess.run( f'(crontab -l 2>/dev/null; echo "{cron_line}") | crontab -', shell=True, check=True, capture_output=True )
Confidence: 96% confidence
Finding: subprocess.run( f'(crontab -l 2>/dev/null; echo "{cron_line}") | crontab -', shell=True, check=True, capture_output=True )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: warn("未找到订阅配置，无需取消") return False try: subprocess.run(["launchctl", "unload", str(plist_path)], check=True, capture_output=True) except subprocess.CalledProcessError: pass plist_path.unlink(missing_ok=True)
Confidence: 79% confidence
Finding: subprocess.run(["launchctl", "unload", str(plist_path)], check=True, capture_output=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: else: script_path = os.path.abspath(__file__) try: subprocess.run( f'crontab -l 2>/dev/null | grep -v "{script_path}" | crontab -', shell=True, check=True, capture_output=True )
Confidence: 97% confidence
Finding: subprocess.run( f'crontab -l 2>/dev/null | grep -v "{script_path}" | crontab -', shell=True, check=True, capture_output=True )

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill reads ~/.zshrc, ~/.bashrc, ~/.bash_profile, and ~/.profile to extract an API key. That exceeds the minimum needed for a reporting tool and accesses unrelated shell startup content, which may contain additional secrets or sensitive user configuration.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The generated HTML explicitly embeds the API key via html.replace("{{API_KEY}}", api_key or ""). This can leak the credential into a file saved under Downloads, later opened in a browser, shared, synced, or inspected by other local users and software.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill can install and remove LaunchAgent/crontab scheduled tasks, which is a host-management capability beyond feed/report generation. In this context that materially increases risk because it gives the skill persistence and repeated unattended execution.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The file materially expands the skill from Bilibili AI trend reporting into broad intelligence-gathering workflows, including competitor analysis, public-opinion monitoring, person background investigation, and generic fact-checking. This scope creep increases the chance the skill will be used for surveillance-like or privacy-invasive tasks outside the user-visible purpose, weakening user consent and safety boundaries.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The '人物背景调查' section enables collection of a person's background, reputation, controversy, and lawsuit information even though the skill is described as producing AI/B站 trend reports. That creates an unjustified people-investigation capability that can be misused for doxxing, profiling, reputational harm, or invasive vetting of private individuals.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The configuration defines a broad-purpose intelligence investigation tool with cross-engine research, competitor analysis, sentiment monitoring, and background investigation capabilities that substantially exceed the stated Bilibili AI feed/reporting purpose. This scope expansion increases the risk of function creep, misuse for surveillance-like tasks, and collection or processing of data unrelated to the user-facing skill description.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The '人物背景调查' mode explicitly enables person background investigation, which is unrelated to generating Bilibili AI trend reports and creates a clear pathway for profiling individuals. In the context of a content-feed skill, this is especially dangerous because it normalizes invasive personal investigation without a demonstrated need, increasing privacy, harassment, and compliance risk.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: Competitor-analysis and public-opinion monitoring modes broaden the skill into market intelligence and sentiment surveillance, which are outside the manifest’s narrow Bilibili AI feed scope. Even if not inherently malicious, embedding these capabilities creates hidden dual use and enables unannounced collection or analysis workflows beyond user expectations.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The file hardcodes a default API key and an external record-save endpoint, enabling outbound data posting using embedded credentials. This is dangerous because anyone with access to the skill package can extract and abuse the key, and the skill may transmit records to a third-party service without strong necessity or transparent user consent for the stated feed-reporting function.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The README tells users they can invoke the skill with broad natural-language requests, which can cause accidental or overly broad activation when a user mentions related topics conversationally. In a skill that triggers web searches, local report generation, and possible subscription setup, unintended invocation can lead to unplanned external requests and local side effects.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill advertises one-click subscription and automatic daily local output, but the description does not prominently warn users that it will create files and continue producing outputs over time. This can surprise users, consume disk space, and create persistence-like behavior that users did not fully understand or consent to.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill performs multi-engine external investigations across many search providers, but the description does not clearly warn users that prompts, topics, or derived queries may be sent to third-party services. This creates privacy and confidentiality risk, especially if users investigate sensitive companies, people, or unreleased products.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The README explicitly says users can invoke the skill with unrestricted natural language, without defining clear trigger boundaries or limiting phrases. That broad activation surface can cause accidental invocation in unrelated conversations and may lead the agent to perform network access, local file generation, or subscriptions when the user did not intend to activate this specific skill.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill advertises automatic local report generation and daily subscription behavior, but does not prominently warn that it will persist files locally and may continue running on an ongoing basis. In an agent environment, persistent writes and recurring automation are security-relevant side effects because they can surprise users, consume resources, expose sensitive data in local artifacts, or create unwanted scheduled activity.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Automatically writing reports to disk and opening them in a browser without a prominent warning can surprise users and increase exposure of generated content or embedded sensitive data. In the context of this skill, the risk is amplified by the reported possibility that credentials may be inserted into the HTML, making auto-open materially more dangerous.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: A subscription mode that causes recurring automatic report generation is potentially risky when users are not clearly informed about persistence, scheduling, repeated network calls, and repeated local writes. This can lead to unexpected resource consumption, privacy exposure, and ongoing external data transmission beyond the initial invocation.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs users to configure and use an API key for an external service but does not clearly warn that authenticated requests and associated query data will be sent to a third-party backend. This omission can cause users to disclose sensitive usage patterns or account-linked activity without informed consent.

Missing User Warnings

High

Confidence: 99% confidence
Finding: Embedding the API key into HTML without warning creates a direct secret exposure path. Since the report is stored in a user-accessible Downloads directory and opened automatically, accidental disclosure is highly plausible.

Missing User Warnings

High

Confidence: 98% confidence
Finding: When subscription is enabled on macOS, the generated plist may contain the API key in EnvironmentVariables and is written to disk. This persists the credential in a LaunchAgent file, creating a durable local secret exposure and expanding access to the key.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation instructs collection of personal background, reputation, controversy, and litigation signals without any warning about privacy, defamation, or sensitive personal data risks. In practice, this omission can normalize unsafe handling of personal information and encourage overcollection or presentation of unverified allegations as fact.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The人物背景调查 template explicitly structures collection of personal background, reputation, lawsuits, and negative reports without any privacy, legality, minimization, or verification guardrails. In a skill framed as automated intelligence gathering, this can normalize doxxing-like profiling, encourage processing of sensitive personal data, and lead to harmful or unlawful collection and presentation of unverified allegations.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal