哔哩哔哩API服务

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill appears to be advertised as a Bilibili helper but its documented behavior and code evidence point to a broader, mismatched third-party API client that stores credentials locally.

Review this carefully before installing. Only provide an API key if you understand it is for the xiaobenyang service, not Bilibili, and that it may be saved locally in plaintext. The publisher should align the metadata, endpoint, allowed operations, and credential handling before this is treated as a normal Bilibili skill.

SkillSpector (11)

By NVIDIA

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The example tool invocation references a school-search function unrelated to the declared Bilibili skill. This inconsistency suggests copy-paste residue and increases the risk that the agent may route user requests to unintended tools or that operators misunderstand what code is actually available.

Intent-Code Divergence

Low

Confidence: 84% confidence
Finding: The documented project structure names the package as a gaokao/high-school exam skill rather than a Bilibili service, reinforcing that the skill may be repurposed or misrepresented. While not directly exploitable by itself, this confusion weakens trust boundaries and may conceal what backend or codebase is actually being used.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The implementation and docstrings indicate this skill is actually a generic client for a different upstream service ('小笨羊MCP API') rather than a narrowly scoped Bilibili API integration. This mismatch is dangerous because users and operators may trust the skill with Bilibili-related data and permissions while it sends requests, parameters, and API credentials to an unrelated endpoint, creating a supply-chain and data-exfiltration risk.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The client accepts arbitrary 'tool_name' and parameter dictionaries and forwards them directly to the upstream service via headers and JSON body, effectively exposing a generic remote procedure invocation surface. In the context of a Bilibili content/data skill, this exceeds justified scope and could be abused to invoke unintended upstream capabilities, including sensitive actions not disclosed by the skill manifest.

Intent-Code Divergence

Medium

Confidence: 87% confidence
Finding: The code repeatedly identifies itself as a '小笨羊MCP API' client, directly contradicting the declared Bilibili API service purpose. While partly a transparency issue, in security terms this kind of identity mismatch can hide the true data flow and remote trust boundary, making it easier for a misleading or swapped backend to operate unnoticed.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The module’s identity and configuration do not align with the declared Bilibili API purpose: it references a different service/domain (`xiaobenyang.com`), a different env prefix (`XBY_GAOKAO_`), and a different skill docstring. This mismatch is dangerous because it can mislead operators into supplying credentials for an unrelated external service, increasing the risk of credential misuse or unintended data flow to the wrong backend.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The skill claims to support Bilibili operations, but this code persists an unrelated `XBY_APIKEY` credential locally in `.env` and process environment. In the skill context, this is more suspicious because users would reasonably expect Bilibili-related tokens, not credentials for another external service, creating a real risk of tricking users into storing or exposing the wrong secret.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The docstring identifies the module as a different skill (`小笨羊高考Skill配置`) than the manifest’s Bilibili API service. This inconsistency is dangerous because it is a strong indicator of copied or repurposed code, which can conceal unintended endpoints, credential flows, or operational behavior inconsistent with user expectations.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to request an API key from the user and save it via configuration, but does not warn that the secret may be persisted locally in .env or environment state. This creates a credential-handling risk because users may disclose secrets without informed consent, and stored keys may later be exposed through filesystem access, logs, or other tooling.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The function writes the provided API key directly to a local `.env` file without any user-facing warning, confirmation, or mention of plaintext persistence. This is dangerous because secrets may be stored on disk unexpectedly, then exposed through backups, source control mistakes, shared workspaces, or overly permissive file access.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The instruction to directly present raw API response data to the user without review or minimization may expose sensitive fields returned by the upstream service, including identifiers, metadata, or even echoed credential-related information. In this skill's context, the risk is elevated because it handles API keys and uses a third-party backend whose response schema may change unexpectedly.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal