Bilibili Transcript
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: bilibili-transcript Version: 2.2.0 The skill's primary script, `scripts/bilibili_transcript.sh`, automatically searches for and accesses sensitive browser cookie databases from both WSL Chromium and Windows Edge (via `/mnt/c/Users/`) to authenticate video downloads. While this behavior is documented in `SKILL.md` as a means to access member-only Bilibili content, the automated extraction of browser credentials represents a significant security risk. No evidence of intentional data exfiltration to external servers was found, but the capability to access host-system browser data warrants a suspicious classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A pre-existing text file in the output folder could be copied into the generated transcript and then deleted, causing data loss or accidental disclosure if the final transcript is shared.
During Whisper fallback, the script selects the first TXT file in the user-selected output directory, reads it as the transcript, and deletes it. If the user chooses a normal folder such as Documents, this can affect an unrelated file.
TXT_FILE=$(find "$OUTPUT_DIR" -maxdepth 1 -name "*.txt" -type f 2>/dev/null | head -1) ... TRANSCRIPT_TEXT=$(cat "$TXT_FILE") rm -f "$TXT_FILE"
Only read and delete the specific Whisper output file created for this run, use a temporary working directory, and avoid deleting broad matches like any '*.txt' in a user-selected folder.
The skill may use your existing browser login session to access Bilibili content without an explicit per-run confirmation, which can expose account-authorized/member-only content to the transcript workflow.
The script automatically uses local Chromium or Edge browser cookie stores. This is disclosed in the docs for member-only videos, but it is high-impact session/profile access and the registry metadata declares no primary credential or required config path.
COOKIE_PARAM="--cookies-from-browser chromium:$CHROMIUM_PATH" ... COOKIE_PARAM="--cookies-from-browser edge:C:/Users/$WIN_USER/AppData/Local/Microsoft/Edge/User Data"
Declare the browser cookie/profile access in metadata, require explicit user approval before using cookies, and provide a clear no-cookies mode or a user-selected browser/profile option.
The skill may fail or behave differently depending on which local versions of these tools are installed.
The skill depends on local command-line tools, but the registry shows no install spec and no required binaries. The tools are expected for the transcription purpose, but users must supply trusted installations themselves.
`yt-dlp` - Video/audio download `ffmpeg` - Audio processing `whisper` - Speech-to-text `opencc` - Traditional to Simplified Chinese conversion
Declare required binaries and supported versions in metadata, and direct users to trusted installation sources.