社交媒体研究助手Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is mainly a local social-media crawler helper, but it can use browser cookies and account history through a broadly scoped local MCP call path.

Install only if you trust the separate local crawler service. Keep the default localhost endpoint unless you intentionally trust another endpoint, avoid passing browser cookies unless needed, and confirm before collecting Bilibili history or reading archived task data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill supports passing browser-derived cookies to the crawler but does not warn that cookies may grant authenticated account access or expose private viewing/history data. In this context, the risk is heightened because the service is local and can query platform data tied to the user's identity, making accidental disclosure or over-collection more likely.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal