bilibili-batch

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill clearly fetches and ingests untrusted, user-generated content from public sites (e.g., calls to https://api.bilibili.com in fetchJson, BilibiliExtractor.downloadSubtitle and getSubtitles in bin/subtitle.js, yt-dlp/YouTubeExtractor, and reading arbitrary URLs from files via readUrlFile/bin/cli.js and the SKILL.md instruction to use Claude Code's browser to scrape a Bilibili space), and that content (video metadata and subtitles) is parsed and used to select/sort videos and generate notes—so external text can materially influence which items are processed and the agent's outputs.