ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

BibiGPT Skill

v1.0.0

BibiGPT CLI for summarizing videos, audio, and podcasts directly in the terminal. Use when the user wants to summarize a URL (YouTube, Bilibili, podcast, etc...

2· 1.4k·4 current·4 all-time
byJimmyLv_吕立青@jimmylv

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for jimmylv/bibigpt-skill.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "BibiGPT Skill" (jimmylv/bibigpt-skill) from ClawHub.
Skill page: https://clawhub.ai/jimmylv/bibigpt-skill
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install bibigpt-skill

ClawHub CLI

Package manager switcher

npx clawhub@latest install bibigpt-skill
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
SKILL.md and scripts/bibi-check.sh clearly expect the 'bibi' CLI (and indirectly the desktop app) or an environment variable BIBI_API_TOKEN to be present. However the registry metadata lists no required binaries, no required env vars, and no primary credential. That metadata omission is inconsistent with the documented purpose and should be clarified.
!
Instruction Scope
The runtime instructions tell the agent to run 'bibi' commands (summarize, auth, check-update, self-update). The docs also say the CLI will read a saved login session from the desktop app — which implies the agent/CLI may access local app settings or token files. While this is plausible for a CLI that authenticates, the skill instructions do not specify where those session files live, and the registry metadata did not declare access to local config paths. The instructions also include 'self-update', which downloads and installs new code — a capability that can escalate risk if the source is unverified.
Install Mechanism
There is no install spec in the skill package (instruction-only), and the only included script merely checks for the 'bibi' binary. No downloads or extract/install steps are embedded in the skill itself. The SKILL.md points users to Homebrew/winget or the vendor site to install the desktop/CLI, which is typical for a wrapper/integration skill.
!
Credentials
The SKILL.md explicitly documents the optional/alternative BIBI_API_TOKEN environment variable and refers to reading the desktop app's saved session; both can expose sensitive credentials. Those environment/config needs are reasonable for a client of a remote API, but they are not declared in the skill metadata — a proportionality mismatch. Users should assume the agent (via the CLI) can access tokens stored in environment variables or local app config.
Persistence & Privilege
The skill does not request always: true and does not modify other skills or system-wide agent settings. It appears to be invocable by the user or agent normally and does not request elevated persistent privileges in the manifest.
What to consider before installing
This skill looks like a thin wrapper around the BibiGPT CLI, but the published metadata omits important details. Before installing or using: 1) Ask the publisher for the source code or an official homepage and confirm the official download URL. 2) Verify whether the desktop app stores tokens in plaintext or a secure store — if it does, be cautious because the CLI will read that session. 3) Prefer using a dedicated, limited-scope API token (BIBI_API_TOKEN) set in an environment isolated from other secrets, and avoid pasting tokens into shells you don't control. 4) Review the upstream CLI's update/self-update behavior — auto-updates can fetch and run arbitrary code. 5) If you need stronger assurance, request the skill author update the registry metadata to declare required binaries and env vars (bibi, BIBI_API_TOKEN) and provide a homepage or source repository; without that, treat the skill as unverified and proceed cautiously.

Like a lobster shell, security has layers — review code before you run it.

latestvk97faxc1r7dn5nf0kyvxnq043x82j7mv
1.4kdownloads
2stars
1versions
Updated 15h ago
v1.0.0
MIT-0
JimmyLv_吕立青@jimmylv
latest
Download

BibiGPT CLI (bibi)

Summarize videos, audio, and podcasts from the terminal using the BibiGPT API.

Installation

macOS (Homebrew)

brew install --cask jimmylv/bibigpt/bibigpt

Windows

Download the installer from: https://bibigpt.co/download/desktop

winget install BibiGPT --source winget

Verify installation

bibi --version

Authentication

After installing, the user must log in via the desktop app at least once. The CLI reads the saved session automatically from the desktop app's settings.

Alternatively, set an API token:

export BIBI_API_TOKEN=<token>

On Windows (PowerShell):

$env:BIBI_API_TOKEN="<token>"

Commands

Summarize a URL

Important: URLs containing ? or & must be quoted to avoid shell glob errors.

# Basic summary (Markdown output to stdout)
bibi summarize "<URL>"

# Async mode — recommended for long videos (>30min)
bibi summarize "<URL>" --async

# Chapter-by-chapter summary
bibi summarize "<URL>" --chapter

# Fetch subtitles/transcript only (no AI summary)
bibi summarize "<URL>" --subtitle

# Full JSON response
bibi summarize "<URL>" --json

# Combine flags
bibi summarize "<URL>" --subtitle --json

Supported URL types: YouTube, Bilibili, podcasts, audio files, and any URL supported by BibiGPT.

Authentication

# Check current auth status
bibi auth check

# Open browser to log in
bibi auth login

# Show how to set API token
bibi auth set-token <TOKEN>

Updates

# Check if a new version is available
bibi check-update

# Download and install the latest version
bibi self-update

Output Format

  • Default: Markdown summary text sent to stdout. Progress info goes to stderr.
  • --json: Complete API response as pretty-printed JSON to stdout.

This means you can pipe the output:

bibi summarize "<URL>" > summary.md
bibi summarize "<URL>" --json | jq '.summary'

Error Handling

Exit CodeMeaning
0Success
1Error (auth missing, API error, timeout, etc.)
HTTP StatusUser Action
401Token expired — run bibi auth login or re-login in desktop app
402/403Quota exceeded — visit https://bibigpt.co/pricing
429Rate limited — wait and retry

Usage Tips

  • For very long videos, use --async to avoid HTTP timeout.
  • Use --subtitle to get raw subtitles/transcript without AI summarization.
  • Use --json when you need structured data (e.g., sourceUrl, htmlUrl, detail).
  • The --chapter flag provides section-by-section summaries, useful for lectures or tutorials.
  • The CLI does NOT open any GUI window — all output goes to the terminal.
  • Run bibi check-update periodically to get new features and bug fixes.

Comments

Loading comments...