ClawHub

Bilibili Up To Kb

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-aligned for building a Bilibili transcript knowledge base, but it uses browser cookies and remote LLM transcript cleaning in ways that are not clearly opt-in or fully disclosed.

Install only if you are comfortable with the skill accessing your Chrome Bilibili session cookies and sending transcript text to the configured external LLM cleaning provider. Prefer public-only downloads or an explicit exported cookie file, disable remote cleaning for private or sensitive media, and supervise any nohup batch jobs so they do not keep running unexpectedly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill clearly instructs the agent to invoke shell scripts that read and write local files, but the manifest does not declare those capabilities. Undeclared shell and filesystem access reduces transparency and can lead to overly broad execution in environments that rely on permission metadata for policy enforcement.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The description says the workflow is local and needs no API key, but the documentation also describes external LLM-based cleaning, optional browser-cookie extraction, metadata harvesting, and use of remote AI subtitles. This mismatch can mislead users and policy systems about data egress, credential exposure, and the true privacy/security profile of the skill.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
Claiming 'no API key needed' and local transcription while documenting an external API-backed cleaning step is a security-relevant disclosure failure. Users may provide sensitive media under the assumption it stays local, when transcript content may instead be sent to a third-party model provider.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script automatically falls back to `--cookies-from-browser chrome` when anonymous access fails, which causes yt-dlp to import the user's Chrome cookies for authenticated requests. Even if intended only to access Bilibili content, this uses sensitive browser credentials without an explicit opt-in at runtime, expanding the skill's capabilities beyond simple public transcription and increasing privacy/security risk if logs, child processes, or downstream tools expose those cookies.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The script derives a new output directory name from remote uploader metadata and may move the caller-provided output directory to that new path. This undisclosed filesystem mutation can surprise users, break assumptions in calling automation, and potentially relocate existing files to an unintended location based on untrusted network-sourced data.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script advertises local transcription via whisper.cpp, but the cleaning stage is configured to send transcript chunks to an external opencode/MiniMax model. This creates a real data exposure risk because users may reasonably assume the entire pipeline is local, while sensitive transcript content is transmitted off-host without an explicit trust boundary or consent step.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Importing browser cookies without a clear warning is a meaningful security/privacy issue because browser cookie stores contain active session material. In this skill's context, transcription of Bilibili videos does not inherently require access to broader browser credentials, so silently escalating to authenticated browser state is more dangerous than the stated purpose suggests.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The script performs rename and write operations that materially change the filesystem layout but does not clearly disclose this behavior to the user beforehand. While not directly exploitable as code execution, hidden path changes can cause data management mistakes, overwrite/confusion scenarios, and operational risk in automated workflows.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Each transcript chunk is embedded into a prompt and sent to an external model service, but the script provides no explicit warning, consent, or redaction step. In the context of a knowledge-base builder, transcripts may contain private conversations, internal meetings, or copyrighted material, so silent exfiltration to a third party is a meaningful privacy and compliance issue.

Session Persistence

Medium
Category
Rogue Agent
Content
## ⚠️ Long-running tasks

Use nohup to avoid session compaction killing processes:
```bash
nohup bash scripts/batch_clean.sh ./kb/UP主名_UID/ 0 80 > /tmp/clean.log 2>&1 &
```
Confidence
72% confidence
Finding
nohup

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
# Auto-chunked, just re-run to resume
nohup bash scripts/batch_channel.sh "https://space.bilibili.com/UID/" ./kb/output > /tmp/batch.log 2>&1 &
```

If still fails, manually fetch URL list:
Confidence
74% confidence
Finding
nohup

YARA rule 'info_stealer': Information stealer patterns (credential harvesting, browser data theft) [malware]

High
Category
YARA Match
Content
## Environment Variables

| Variable | Default | Description |
|----------|---------|-------------|
| `WHISPER_CLI` | `whisper-cli` | Path to whisper.cpp |
| `WHISPER_MODEL` | `~/.whisper-cpp/ggml-small.bin` | Whisper model |
| `OPENCODE_BIN` | `~/.opencode/bin/opencode` | opencode CLI |
Confidence
90% confidence
Finding
cookies for member-only content (`--cookies-from-browser chrome; cookies-from-browser chrome

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal