Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Bilibili Downloader
v1.0.0Download videos, audio, subtitles, and covers from Bilibili using bilibili-api. Use when working with Bilibili content for downloading videos in various qual...
⭐ 0· 1k·13 current·13 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the included scripts and instructions: all code uses the bilibili_api library to fetch video/audio/subtitles/covers and write them to disk. No unrelated services, binaries, or credentials are requested.
Instruction Scope
SKILL.md and scripts only describe running the bilibili_api client and writing downloaded assets to local disk and config files. They instruct (reasonably) how to provide a SESSDATA cookie for premium content. Note: the provided config file contains a cookies.SESSDATA placeholder — the scripts do not directly read that field, but the bilibili_api library may read environment variables or cookies; this is plausible but not explicitly wired in the included scripts.
Install Mechanism
Registry shows no install spec (instruction-only), which is low risk. However, the package includes multiple runnable Python scripts in the bundle (not purely prose), so the 'instruction-only' label is slightly misleading but not dangerous. The SKILL.md recommends installing bilibili-api-python via pip and requires ffmpeg locally — both expected for this functionality.
Credentials
No required environment variables are declared by the registry, which is proportional. SKILL.md advises exporting BILIBILI_SESSDATA for authenticated/premium downloads; that's reasonable. Caution: the included config JSON contains a plaintext cookies.SESSDATA placeholder. Storing session cookies in config files (or committing them) is a security/privacy risk — the skill itself does not demand broad unrelated credentials.
Persistence & Privilege
Skill does not request persistent/always-on presence and uses no special agent-level privileges. It performs local file I/O for downloads and config, which is appropriate for its purpose.
Assessment
This skill appears to do what it says: download Bilibili videos, audio, subtitles, and covers using the bilibili_api client. Before installing or running: (1) Review where you store authentication cookies — do not keep SESSDATA in a repo or shared config; prefer setting BILIBILI_SESSDATA as an environment variable at runtime. (2) Verify you trust the bilibili-api-python package you will pip install (check the package source and maintainers). (3) Expect the scripts to write files to the local filesystem (output directories in config); ensure the output path is acceptable. (4) The bundle includes runnable scripts — you may want to inspect or run them in a sandbox first if you have concerns. If you need higher assurance, ask the publisher for clarification about how authentication cookies are consumed (environment vs config file) and why the registry lists no required env vars while the README references SESSDATA.Like a lobster shell, security has layers — review code before you run it.
latestvk973k8fna7g8srs9g9wmtb2sax81y4w8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.