ClawHub
Back to skill

Security audit

b站视频自动生成高质量图文笔记自动截图并上传至Notion笔记

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims, but it can upload local/video-derived content to Notion, modify existing Notion pages, and run unsafe local command paths without enough user control or safeguards.

Review carefully before installing. Use a least-privilege Notion integration scoped only to the intended database, avoid passing tokens directly on command lines, verify the BBDown binary with a trusted checksum or package source, and do not run the automatic duplicate cleanup unless you are comfortable with the skill archiving Notion pages that match the generated title.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"\n🔍 {description}...")

    try:
        result = subprocess.run(
            cmd, shell=True, capture_output=True, text=True, check=True
        )
        return json.loads(result.stdout)
Confidence
99% confidence
Finding
result = subprocess.run( cmd, shell=True, capture_output=True, text=True, check=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for path in bbdown_paths:
            try:
                result = subprocess.run(
                    [path, "--help"], capture_output=True, text=True, timeout=5
                )
                if result.returncode == 0:
Confidence
89% confidence
Finding
result = subprocess.run( [path, "--help"], capture_output=True, text=True, timeout=5 )

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The duplicate-page cleanup logic instructs the skill to query the user's Notion database and archive pages beyond the core task of creating a new note. Any automated archival step expands scope from content creation to content management and can hide or alter user data if matching logic is imperfect or execution context is confused.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The file explicitly says the skill should not edit existing Notion pages, but elsewhere instructs it to archive existing same-title pages. This contradiction creates an unsafe policy gap: operators may trust the non-edit claim while the workflow still performs state-changing actions on existing records.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document explicitly describes uploading local files to Notion via the Direct Upload API but does not warn users that screenshots and other local artifacts will be transmitted to a third-party cloud service. In a skill that processes local video-derived content and automates uploads, this omission can cause unintended disclosure of private or copyrighted material because users may not realize data leaves the local environment.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The instructions tell users to export a NOTION_API_KEY but do not include guidance on secure handling of the credential or warn that the key authorizes API access to user content. This increases the chance of accidental exposure through shell history, shared terminals, screenshots, logs, or misuse in environments where secrets are not properly isolated.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README describes generating notes from subtitles and screenshots and publishing them to Notion, but does not warn that video content, captions, and derived notes may contain sensitive or copyrighted material that will be transmitted to a third-party service. This increases the risk of unintentional data sharing, especially because the workflow is positioned as a one-click pipeline from source content to external publication.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to export a Notion integration token and pass it into commands, but does not caution against exposing the credential through shell history, logs, screenshots, shared terminals, or process listings. In practical use, this can lead to accidental credential disclosure and unauthorized access to Notion workspaces or databases.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow creates Notion content and may archive duplicate pages, but it does not require an explicit warning or user confirmation before these external write and modification actions. Silent modification of a user's database increases the chance of unintended data changes and violates the principle of informed consent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script sends video URL/title and processed subtitle segments to Notion, which is an external service, without any explicit consent prompt, warning, or data-minimization notice in the code path. Because subtitles can contain sensitive or proprietary content, silent transmission increases the risk of unintended disclosure, especially in an agent context where users may not realize remote exfiltration occurs.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The Notion API token is accepted as a command-line argument and then embedded into a shell command string for a child process. Command-line secrets are commonly exposed through process listings, shell history, logs, and debugging output, which can leak credentials to other local users or monitoring systems.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script uploads local image files referenced in markdown to Notion without a clear user-facing disclosure at execution time. In an agent-skill context, markdown and image paths may originate from upstream automation, so users may unintentionally exfiltrate local files or screenshots to a third-party service.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Accepting the Notion API token on the command line exposes the credential to shell history, process listings, job logs, and orchestration telemetry. In shared systems or agent environments, this can lead to credential theft and unauthorized access to the user's Notion workspace.

External Transmission

Medium
Category
Data Exfiltration
Content
pip install requests

# 2. 下载BBDown
curl -L -o /tmp/BBDown.zip "https://github.com/nilaoda/BBDown/releases/download/1.6.3/BBDown_1.6.3_20240814_linux-x64.zip"
unzip /tmp/BBDown.zip -d /tmp/
chmod +x /tmp/BBDown
Confidence
84% confidence
Finding
curl -L -o /tmp/BBDown.zip "https://github.com/nilaoda/BBDown/releases/download/1.6.3/BBDown_1.6.3_20240814_linux-x64.zip" unzip /tmp/BBDown.zip -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.