Bilibili Transcript
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A pre-existing text file in the output folder could be copied into the generated transcript and then deleted, causing data loss or accidental disclosure if the final transcript is shared.
During Whisper fallback, the script selects the first TXT file in the user-selected output directory, reads it as the transcript, and deletes it. If the user chooses a normal folder such as Documents, this can affect an unrelated file.
TXT_FILE=$(find "$OUTPUT_DIR" -maxdepth 1 -name "*.txt" -type f 2>/dev/null | head -1) ... TRANSCRIPT_TEXT=$(cat "$TXT_FILE") rm -f "$TXT_FILE"
Only read and delete the specific Whisper output file created for this run, use a temporary working directory, and avoid deleting broad matches like any '*.txt' in a user-selected folder.
The skill may use your existing browser login session to access Bilibili content without an explicit per-run confirmation, which can expose account-authorized/member-only content to the transcript workflow.
The script automatically uses local Chromium or Edge browser cookie stores. This is disclosed in the docs for member-only videos, but it is high-impact session/profile access and the registry metadata declares no primary credential or required config path.
COOKIE_PARAM="--cookies-from-browser chromium:$CHROMIUM_PATH" ... COOKIE_PARAM="--cookies-from-browser edge:C:/Users/$WIN_USER/AppData/Local/Microsoft/Edge/User Data"
Declare the browser cookie/profile access in metadata, require explicit user approval before using cookies, and provide a clear no-cookies mode or a user-selected browser/profile option.
The skill may fail or behave differently depending on which local versions of these tools are installed.
The skill depends on local command-line tools, but the registry shows no install spec and no required binaries. The tools are expected for the transcription purpose, but users must supply trusted installations themselves.
`yt-dlp` - Video/audio download `ffmpeg` - Audio processing `whisper` - Speech-to-text `opencc` - Traditional to Simplified Chinese conversion
Declare required binaries and supported versions in metadata, and direct users to trusted installation sources.