bilibili-research-kit

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its Bilibili research purpose, but it tells the agent to use your browser login cookies without enough safety scoping.

Install only if you are comfortable running yt-dlp locally. Use the cookie option only when necessary, preferably with a dedicated browser profile or limited account, and never share, upload, echo, or log exported cookies. Avoid entering Bilibili credentials or cookies into third-party download websites.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs users to export browser cookies for authenticated access without warning that this exposes live session credentials from the user's browser profile. If a user runs this carelessly, those cookies could be logged, persisted, or mishandled, enabling account/session compromise for Bilibili or other browser-scoped authenticated contexts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal