ClawHub
Back to skill
v2.0.0

Bilibili AI Subtitle

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:21 AM.

Analysis

The skill matches its subtitle-downloading purpose, but it automatically uses local Chromium/Edge browser cookies without declaring credential access in metadata, so it should be reviewed carefully before installation.

GuidanceInstall only if you are comfortable letting the script use your logged-in Bilibili browser session. Consider using a separate browser profile or cookie file for Bilibili, verify yt-dlp is installed from a trusted source, and review the output directory before running.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
## Requirements

- `yt-dlp` installed
- Optional: Browser with Bilibili login

The skill documentation requires yt-dlp, but the registry metadata lists no required binaries and no install spec. This is purpose-aligned, but the dependency is under-declared.

User impactThe skill may not work unless users install external tools themselves, and the registry does not capture or pin those dependencies.
RecommendationDeclare yt-dlp and other runtime assumptions in the skill metadata, and provide trusted installation guidance or version expectations.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusConcern
scripts/bilibili_ai_subtitle.sh
TEST=$(yt-dlp --list-subs --cookies-from-browser "chromium:$CHROMIUM_PATH" "$VIDEO_URL" ...); COOKIE_PARAM="--cookies-from-browser edge:C:/Users/$WIN_USER/AppData/Local/Microsoft/Edge/User Data"

The script automatically points yt-dlp at local Chromium/Edge browser cookie stores and applies them to the supplied URL. Browser cookies are sensitive session credentials, while the registry metadata declares no primary credential or required config paths.

User impactRunning the skill may let it use your logged-in browser session to access Bilibili content, including member-only content, and users may not realize this is credential/session access.
RecommendationDeclare browser-cookie access in metadata, require an explicit user opt-in such as a --use-cookies flag, validate that the URL is a Bilibili domain before using cookies, and prefer a dedicated browser profile or cookie file for this skill.