ClawHub

Bilibili 热门趋势分析

Security checks across malware telemetry and agentic risk

Overview

This skill fetches public Bilibili ranking data and stores local trend reports, with disclosed but worth-noting sub-agent and persistence behavior.

Install only if you are comfortable with the skill writing Bilibili ranking history and reports into your workspace and, by default, sending fetched public ranking data to an OpenClaw sub-agent for analysis. Use the documented --manual mode if you want to inspect prompts instead of spawning a sub-agent, and set BILIBILI_WORKSPACE carefully because it controls where files are written.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Tainted flow: 'filepath' from os.environ.get (line 90, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
def save_summary_report(prefix, content):
    """保存周/月总结报告"""
    filepath = os.path.join(ANALYSIS_DIR, f"{prefix}.md")
    with open(filepath, "w", encoding="utf-8") as f:
        f.write(content)
    return filepath
Confidence
92% confidence
Finding
with open(filepath, "w", encoding="utf-8") as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares no permissions, but its own documentation clearly describes using environment variables, reading/writing local files, and making network requests. That mismatch prevents users or platform controls from accurately understanding and constraining what the skill can do, which increases the chance of unintended data access or persistence. In this context the behavior appears operational rather than overtly malicious, but the undeclared capabilities are still a real security issue.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The description understates the real behavior by saying it only calls public APIs and has no privacy risk, while the documented workflow also spawns a sub-agent, retains historical owner/UP data, stores alerts, and persists reports locally. This kind of description-behavior mismatch can cause users to authorize the skill under false assumptions, especially because persistent tracking and agent invocation materially expand the attack surface beyond simple API fetching. The reassuring safety language in the description makes the mismatch more concerning, not less.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The skill sends a generated prompt containing full ranking data to a spawned sub-agent runtime, which expands the trust boundary beyond simple API fetching. This is more dangerous in context because the skill ingests external content such as video titles and metadata, then forwards it to another agent without any prompt-injection controls or minimization, creating an unnecessary delegation surface.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The markdown states that fetched data and generated reports are automatically stored locally, but it does not prominently warn users about retention scope, duration, or the fact that owner-related fields and history files are preserved over time. Even if the data is public, silent accumulation of persistent records can create privacy, governance, and disk-retention concerns, especially in shared workspaces or multi-user environments. The skill context lowers severity somewhat because the source data is public ranking data, but persistence still deserves explicit notice and control.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow explicitly describes automatic spawning of a sub-agent and automatic persistence of fetched data and generated reports into the workspace, but provides no warning, consent step, or control boundary for these side effects. Even though the data source is public, automatic writes and agent invocation can surprise users, consume resources, and store content containing user/channel metadata (such as the documented owner field) without clear disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal