ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Bilibili AI Subtitle

v2.0.0

Download Bilibili AI-generated subtitles (auto-subtitles) for videos. Use when you need to quickly get subtitles from Bilibili videos that have AI-generated...

0· 307·0 current·0 all-time
by@54lynnn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (download Bilibili AI subtitles) align with the provided script and SKILL.md. The script uses yt-dlp to list and fetch AI subtitles, parses metadata, and writes a formatted TXT — all directly related to the stated purpose.
Instruction Scope
Runtime instructions and the script stay within subtitle-download scope. The script enumerates local browser cookie stores (WSL Chromium path and Windows Edge user data under /mnt/c/Users) to supply yt-dlp with cookies for member-only videos — this is relevant to the feature but does access local browser profile paths. No other files, external endpoints, or unrelated system data are accessed or transmitted.
Install Mechanism
There is no install step (instruction-only + shell script). No remote downloads or archive extraction are performed by the skill itself. The only declared dependency in SKILL.md is yt-dlp (the script also uses python3, coreutils like sed/grep/find/wc/date which are normal).
Credentials
The skill requests no environment variables or credentials. It does, however, attempt to read local browser cookie stores and enumerates /mnt/c/Users to locate a Windows Edge profile for cookie extraction — behavior that is explainable for accessing member-only videos but is sensitive because it uses authenticated browser cookies. Also the default output directory is a hardcoded path (/home/administrator/.openclaw/workspace/...) if none is provided, which may be surprising; supplying an explicit output directory is advisable.
Persistence & Privilege
The skill does not request permanent presence (always: false) and does not modify other skills or global agent config. It runs only when invoked.
Assessment
This skill appears coherent for its stated purpose. Before installing/running: 1) Ensure yt-dlp and python3 are installed and up-to-date. 2) Review the script yourself (it is short and readable). 3) Be aware it will try to read local browser cookie stores (WSL Chromium path or Windows Edge user data under /mnt/c/Users) to access member-only videos — if you don't want that, run the script without cookies or remove the cookie-detection block. 4) Provide an explicit output directory when invoking to avoid the hardcoded /home/administrator path. 5) Run in a sandbox or test environment if you are unsure about giving the script access to browser profile directories.

Like a lobster shell, security has layers — review code before you run it.

latestvk97971mbq8z0p609k6s9jpgfmx83095s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments