ClawHub

Bili Sunflower Publish

Security checks across malware telemetry and agentic risk

Overview

This Bilibili publishing skill is mostly coherent, but it can publish through the user’s logged-in account without a required final approval step.

Install only if you are comfortable with an agent using your logged-in Bilibili browser session to post content. Before using it, verify the account, file path, title, target, visibility, category/sync settings, and embedded image paths, and explicitly instruct the agent to stop for your approval before clicking publish.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill performs local file reads and writes through preprocessing steps but does not declare those capabilities. Undeclared file access weakens user and platform understanding of what the skill can do, making it easier to process unintended local content or write artifacts without clear consent boundaries.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The description frames the skill as a publishing helper, but the documented behavior also reads local files, writes transformed outputs, and inlines local images as base64. That mismatch can hide materially sensitive data-handling behavior from users, increasing the risk of accidental exfiltration of local content to Bilibili during publication.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README advertises automatic image inlining and one-click publishing but does not clearly warn that local content may be transformed and then transmitted to a third-party platform. In a publishing automation skill, this can lead to unintended disclosure of local image data or publication of modified content without the user fully understanding what will be sent.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The README advertises automatic inlining of local images as base64 data URIs and one-click publishing to Bilibili, but it does not warn that local file contents will be embedded into the published payload and transmitted to a third-party platform. In this skill context, that increases the risk of accidental disclosure of sensitive local images or unintended public posting, especially because the feature is framed as seamless and automated.

Vague Triggers

Medium
Confidence
75% confidence
Finding
The trigger language is broad enough to activate on common requests about posting to Bilibili, which can cause the skill to run in situations where the user did not intend full automated publication. Because this skill culminates in external posting, ambiguous activation increases the chance of unintended account actions.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill instructs the agent to click the final publish button by default, without a mandatory user-facing confirmation immediately before the irreversible action. In a browser-automated account context, this can directly cause accidental publication to a live Bilibili article or tribee under the user's identity.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal