bilibili-downloader
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [CREDENTIALS_UNSAFE] (HIGH): The skill documentation mentions a
--cookiesparameter for 'getting high-definition quality'. Accessing browser cookies is a high-risk operation that exposes sensitive session data and authentication tokens. - [COMMAND_EXECUTION] (MEDIUM): The skill functions by generating and executing shell commands (e.g.,
python ~/.claude/skills/bilibili-downloader/bili_download.py --url "..."). If the inputurlorspaceparameters are not strictly sanitized, this provides a surface for command injection. - [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires the installation of
yt-dlpvia pip and downloads media content from external servers (Bilibili). While Bilibili is a known site, the automated download of external binary data poses a risk. - [DATA_EXPOSURE] (LOW): The skill defaults to saving files to the user's desktop (
~/Desktop/bilibili_downloads), which involves file system writes and potential exposure of directory structures.
Recommendations
- AI detected serious security threats
Audit Metadata