Skills
skills/wangjs-jacky/jacky-skills/bilibili-batch/Gen Agent Trust Hub

bilibili-batch

Fail

Audited by Gen Agent Trust Hub on Mar 7, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: Unsanitized input is passed to shell commands in bin/subtitle.js and bin/cli.js.
  • Evidence: In bin/subtitle.js, the YouTubeExtractor.extract function interpolates the url variable directly into a template string used by execSync. An attacker providing a URL containing shell metacharacters (e.g., \"; touch /tmp/pwned; #\") could execute arbitrary commands.
  • Evidence: In bin/cli.js, the batchExtract function interpolates user-controlled parameters like model into an execSync call without validation.
  • [EXTERNAL_DOWNLOADS]: The skill performs network operations to fetch data from external APIs and utilizes external tools.
  • Evidence: Fetches video metadata from Bilibili's public API (api.bilibili.com).
  • Evidence: Uses yt-dlp to download subtitle files from third-party video hosting platforms.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted video data.
  • Ingestion points: Video titles and subtitles fetched from Bilibili and YouTube in bin/subtitle.js.
  • Boundary markers: None. The extracted text is saved directly into Markdown files without delimiters or instructions for the agent to ignore embedded commands.
  • Capability inventory: The skill has file-write permissions for the user's Obsidian vault and can execute subprocesses via execSync.
  • Sanitization: Only filename characters are sanitized for filesystem compatibility; the actual content of the notes is not validated or escaped.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 7, 2026, 04:54 PM