Security audit

Kuaishou Bilibili Publish

Security checks across malware telemetry and agentic risk

Overview

This skill automates live posting to social platforms and hides its browser automation by default, so it should be reviewed before use.

Install only if you intentionally want browser automation that can upload and publish to your live social accounts. Start with --no-publish and test accounts, review the content and target accounts before enabling live publish-all, avoid running debug scripts on sensitive sessions, and consider pinning dependencies. Be aware that the skill uses stealth-style browser fingerprint changes that may violate platform rules.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (12)

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The module is presented as ordinary Chrome process management, but it also adds explicit anti-automation evasion flags such as disabling AutomationControlled and infobars. That mismatch can conceal behavior intended to bypass bot-detection or site controls, increasing abuse potential and reducing operator awareness in a security-sensitive automation context.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: This code deliberately spoofs browser fingerprinting signals and injects stealth JavaScript to hide automation by overriding navigator.webdriver, WebGL identifiers, Chrome runtime presence, and language metadata. In the stated context of automating content publication to third-party platforms, this materially increases the ability to evade platform anti-bot controls and reduces transparency, which is unsafe even if the apparent goal is operational automation rather than overtly malicious abuse.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The page setup automatically injects stealth scripts, overrides the user agent/device metrics, and alters browser permissions for every page. These capabilities go beyond ordinary browser control and make the automation harder to detect, which can facilitate policy evasion or abusive account activity on target platforms.

Intent-Code Divergence

Low

Confidence: 90% confidence
Finding: The script prints the entire configuration file to stdout before running the test. If the config contains sensitive local paths, titles, descriptions, account-related metadata, or other private publishing data, this information can be exposed in terminal logs, CI logs, screen recordings, or shared support output. In this skill context, the leak is limited to local operational data rather than secrets shown in the snippet, so the impact is low but real.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly supports one-click publishing to multiple external platforms in sequence, which can cause real-world external actions on the user's behalf. While the document describes the mechanics, it does not present a prominent safety warning, explicit confirmation step, or clear notice near the multi-platform command that content will be posted externally across several accounts, increasing the risk of unintended publication.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The report includes concrete commands to publish videos to third-party platforms, including a bulk publish option, but it does not clearly warn users that executing these commands may transmit video files, titles, covers, and keywords to external services under the currently logged-in accounts. In this skill context, the omission is more dangerous because the automation reuses authenticated browser sessions and can cause unintended disclosure or posting if a user tests with real content.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The report documents an end-to-end workflow for uploading content and includes a final publish step plus a command example that performs a real publish, but it does not clearly warn that this action can post content publicly to a live account. In an automation skill, that omission increases the risk of accidental unauthorized or unintended publication, especially when readers may copy commands directly.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The kill_chrome logic can terminate any process listening on the chosen port, not just the Chrome instance started by this module. If the port is reused by another local service, this can cause unintended denial of service or data loss, especially because the code escalates from CDP close to PID-based termination without explicit confirmation or ownership verification.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script writes the full DOM HTML of an authenticated publisher page to a local file after interacting with the site. That HTML can contain sensitive account data, upload state, internal identifiers, CSRF tokens, or other session-scoped information, and persisting it to disk increases the chance of unintended disclosure through shared folders, backups, logs, or later exfiltration. The debugging context makes this somewhat understandable, but it is still risky because it captures far more data than needed.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill requests automated uploading to multiple third-party publishing pages using local input data and explicitly allows a silent 5-minute wait, but it does not require user confirmation, disclose outbound data transfer, or bound execution behavior. This creates a real risk of unintended content publication, unnoticed long-running browser automation, and accidental transfer of local media/metadata to external platforms.

Unpinned Dependencies

Low

Category: Supply Chain
Content: requests>=2.28.0 websockets>=12.0
Confidence: 95% confidence
Finding: requests>=2.28.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: requests>=2.28.0 websockets>=12.0
Confidence: 95% confidence
Finding: websockets>=12.0

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal