Back to Dashboard
100

哔哩哔哩 MCP Server,支持获取热门排行榜、搜索视频、获取用户投稿列表等功能

@lianginx/bilibili-mcp021 files scannedApril 4, 2026

High risk — review the findings below

We found multiple concerning patterns in this package. Some of these might be legitimate (for example, a build tool might need to run commands), but you should review each finding below and decide if the explanations make sense for what this package claims to do.

What We Found(5 issues)

Each card explains what was found and what it means in plain English. Click "Technical details" for the full breakdown.

HIGHHIGH-001

Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.

Technical details

eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.

eval(
src/commands/get-follows.js:16
HIGHHIGH-001

Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.

Technical details

eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.

eval(
src/commands/get-hot-rank.js:14
HIGHHIGH-001

Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.

Technical details

eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.

eval(
src/commands/get-videos.js:29
HIGHHIGH-001

Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.

Technical details

eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.

eval(
src/commands/search-users.js:23
HIGHHIGH-001

Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.

Technical details

eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.

eval(
src/commands/search-videos.js:23

Finding Summary

0

Critical

5

High

0

Medium

0

Low

0

Info