Security audit

B站关键词实时搜索

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed Bilibili search tool, but its subscription feature can create recurring scheduled searches without enough cancellation and containment detail.

Review the subscription feature before installing. One-off searches appear proportionate, but only enable daily push if you are comfortable with recurring API calls using REDFOX_API_KEY; prefer a platform scheduler with visible task management, and make sure you know how to disable the scheduled job and revoke the API key.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (7)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 85% confidence
Finding: The skill instructs use of environment-stored API credentials and a networked script, but the manifest does not clearly declare those capabilities. This creates a transparency and review gap: operators may enable a skill without realizing it can access secrets and make outbound requests, which increases the chance of unintended data exposure or policy bypass.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill’s documented functionality expands from one-shot real-time search into ongoing subscription/push behavior. That broadens data access and execution frequency beyond the user’s likely expectation, increasing the risk of unwanted persistence, repeated external calls, and silent background activity.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The instructions to create cron-based scheduled tasks introduce persistence on the host for a skill advertised as real-time search. Persistence mechanisms are security-sensitive because they cause recurring execution, may continue after the user forgets about them, and can be abused to repeatedly use stored API keys or consume resources without ongoing oversight.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The README instructs users to invoke the skill through broad natural-language phrases such as simply describing needs, which can cause the tool to activate in situations where the user did not intend a live external query. In an agent environment, ambiguous trigger boundaries increase the risk of unintended API calls, privacy leakage in forwarded queries, and surprising behavior when casual conversation resembles a search request.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The README promotes daily subscription push functionality but does not clearly warn that this creates an ongoing automated action that persists beyond the current interaction. Without explicit disclosure and confirmation, users may unknowingly authorize recurring monitoring or notifications, which can lead to unwanted background actions, repeated external requests, and possible privacy or cost concerns depending on the downstream integration.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill tells users how to place an API key into config files or environment variables but omits any warning that the key is sensitive or guidance on least-privilege handling. This increases the risk of credential leakage through shared configs, shell history, screenshots, logs, or overbroad key usage.

YARA rule 'backdoor_persistence': Backdoor persistence with malicious payloads (shell commands, SSH key injection, hidden root users) [malware]

High

Category: YARA Match
Content: ``` 创建成功后告知用户："已成功订阅关键词「<关键词>」的B站实时视频推送，每天 10:00 将自动查询最新数据并通知你。"
Confidence: 94% confidence
Finding: crontab 0 10 * * * python

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal