Security audit

BiliBili-Danmaku-Analyzer-v1

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it fetches public Bilibili danmaku for a user-supplied video and saves local analysis files.

Install if you are comfortable with the skill fetching public Bilibili comments for videos you provide and saving sampled comments, video metadata, prompts, and reports locally. Use a deliberate output directory and delete generated files when the video topic or comments are sensitive.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill clearly describes network access to Bilibili APIs and writing multiple local output files, yet no permissions are declared. This creates a transparency and consent problem: users or hosting platforms may not realize the skill can fetch third-party content and persist it locally, which can lead to unexpected data handling and weaker policy enforcement.

Missing User Warnings

Low

Confidence: 83% confidence
Finding: The documentation explains outputs and generated reports, but it does not prominently warn users that third-party danmaku/content will be fetched from Bilibili and saved into local files. This is risky because saved outputs may contain personal, sensitive, or copyrighted third-party content that users did not expect to store or redistribute.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal