ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

bilibit

v0.1.11

B 站视频下载工具。支持哔哩哔哩视频下载、弹幕下载。用户说"B 站下载"、"哔哩哔哩"、"bilibili"时使用。无需 API Key。纯下载工具,不支持搜索。

0· 234·1 current·1 all-time
byRoland Dickens@aoturlab

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for aoturlab/bilibit.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "bilibit" (aoturlab/bilibit) from ClawHub.
Skill page: https://clawhub.ai/aoturlab/bilibit
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: bbdown, ffmpeg
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install bilibit

ClawHub CLI

Package manager switcher

npx clawhub@latest install bilibit
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (B 站 video + danmaku downloader) align with code: CLI parses a URL, calls a BBDown wrapper to fetch/download, and records local history. Required binaries (BBDown, ffmpeg) are appropriate for downloading and merging media.
Instruction Scope
SKILL.md and CLI focus on URL-driven downloads and history. Minor scope inconsistency: several help messages and examples mention a 'search' command, but no search implementation exists in the code (product docs note search was intentionally removed). The CLI only reads a user-supplied cookie file if provided and writes local history (~/.bilibit/history.json). No instructions access unrelated system credentials or unexpected endpoints.
Install Mechanism
This is an instruction-only skill in registry, but package.json includes a postinstall script (scripts/install-bbdown.js) that downloads BBDown from GitHub releases (official repo URLs) using curl and unzip and writes the binary to node_modules/.bin. Downloading a release and extracting to disk is expected for this purpose but is a higher-risk install action than pure instruction-only packages; the URLs point to the official BBDown GitHub releases (not a random host).
Credentials
No environment variables or secret credentials are required. The code uses HOME/USERPROFILE to store history and an optional user-provided cookie file for premium downloads — this is proportional and documented. No evidence of exfiltration or access to unrelated secrets.
Persistence & Privilege
always:false and normal model invocation. The package writes a local history file under the user's home (~/.bilibit) and installs BBDown into node_modules/.bin during postinstall; it does not modify other skills or system-wide agent settings.
Assessment
This package appears to be a coherent Bilibili downloader. Before installing, note: (1) npm postinstall will try to download and extract an official BBDown release (curl + unzip) into node_modules/.bin — review scripts/install-bbdown.js if you want to confirm behavior; (2) it will create a history file at ~/.bilibit/history.json; (3) it accepts an optional cookie file (user-supplied) for premium-quality downloads — do not provide secrets you don't trust; (4) minor doc inconsistencies exist (mentions of a 'search' command and mismatched version numbers across files) but these are documentation/versioning issues, not indicators of malicious behavior. If you trust the GitHub repo link and are comfortable with the package running a postinstall download, installation is reasonable. If concerned, inspect the install script and download URLs yourself or run in an isolated environment.
bin/bbdown-wrapper.js:15
Shell command execution detected (child_process).
scripts/check-deps.js:17
Shell command execution detected (child_process).
scripts/install-bbdown.js:18
Shell command execution detected (child_process).
src/downloader/bbdown.js:57
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🎬 Clawdis
Binsbbdown, ffmpeg
latestvk978e46kjsf2zppwba8hwy24nh856frh
234downloads
0stars
11versions
Updated 23h ago
v0.1.11
MIT-0
Roland Dickens@aoturlab
latest
Download

🎬 bilibit - B 站视频下载专家

极简 B 站视频下载工具。粘贴 URL,一键下载视频和弹幕。

📦 快速安装

# clawhub
clawhub install bilibit

# npm
npm install -g bilibit

🚀 使用示例

下载视频

bilibit https://b23.tv/BV1xx

下载带弹幕

bilibit https://b23.tv/BV1xx --danmaku

💬 AI 交互规范(重要!)

触发场景

当用户说这些话时,使用 bilibit

  • "下载这个 B 站视频" + URL
  • "B 站下载"
  • "哔哩哔哩视频"
  • "下载弹幕"

不支持的场景

  • ❌ "搜索 B 站视频" - bilibit 不支持搜索,需要用户提供 URL
  • ❌ "找某个 UP 主的视频" - 不支持搜索,需用户先在 B 站找到 URL

输出格式规范

输出格式规范

📺 下载完成!已保存到:xxx

📌 回复序号查看历史

禁止行为

  • ❌ 不要转成表格格式
  • ❌ 不要重新排序
  • ❌ 不要用 []() 包裹 URL

必须保留

  • ✅ 原始输出格式
  • ✅ 下载完成提示

📋 完整命令

命令说明示例
bilibit <url>下载视频bilibit https://b23.tv/BV1xx
bilibit <url> --danmaku下载 + 弹幕bilibit ... --danmaku
bilibit <url> --quality 4K指定画质bilibit ... --quality 4K
bilibit history下载历史bilibit history

⚠️ 注意事项

  • 仅限个人学习使用
  • 大会员画质需要 Cookie
  • 弹幕保存为 XML 格式

🔗 相关链接

Comments

Loading comments...