bilibili-yt-dlp

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Bilibili download helper, but it under-scopes browser cookie use and automatic cleanup of downloaded files.

Install only if you are comfortable letting the agent run yt-dlp/ffmpeg and write video files locally. For public videos, avoid cookie authentication. If login is required, explicitly approve the exact browser profile or cookie file first, set the output path, and tell the agent whether to keep or delete the downloaded file.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 77% confidence
Finding: The skill instructs deletion of the video after sending it to the user, but provides no requirement for confirmation, no constraints on what path may be deleted, and no warning about data loss. In an agent context, this kind of unconditional cleanup step can cause accidental deletion of user data or removal of artifacts needed for verification, especially if filenames or directories are user-influenced.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal