Bilili-downloader
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to match its stated purpose of downloading user-specified Bilibili videos, but users should notice that it runs yt-dlp, writes downloaded files locally, relies on under-declared dependencies, and may involve sensitive cookies for restricted content.
This looks like a normal Bilibili downloader skill. Before installing or using it, make sure yt-dlp and ffmpeg come from trusted sources, confirm whether you want a single video or a full playlist, expect downloaded files in the working directory, and avoid providing Bilibili cookies unless you intentionally need account-gated content.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can download content from the network and create potentially large media files on the user's machine.
The script passes the user-provided URL to yt-dlp and writes downloaded media files locally. This is central to the downloader purpose and uses argument lists rather than shell execution, but it is still a meaningful external-tool and file-write capability.
cmd = ["yt-dlp", "--dump-json", url] ... cmd.extend(["-o", f"{output_dir}/%(title)s-[%(id)s].%(ext)s", "--progress", url])Confirm the URL, batch setting, and desired output location before running; avoid using --batch unless you want the whole playlist or series downloaded.
If a user provides cookies, they may be granting access tied to their Bilibili account session.
The documentation says cookies may be needed for VIP or region-restricted content. Cookies can represent an authenticated Bilibili session, though the visible script does not show automatic cookie collection or handling.
如遇VIP内容或地区限制,可能需要提供cookie
Do not paste cookies into chat casually; only provide a cookie file or account access if necessary, explicitly requested, and understood.
Installation may pull a newer dependency version than expected, and missing runtime tools may cause failures or require manual installation.
The dependency is specified with a lower bound rather than an exact pinned version, and the registry metadata does not declare the yt-dlp/ffmpeg runtime requirements listed in SKILL.md.
yt-dlp>=2023.01.01
Install yt-dlp and ffmpeg from trusted sources and consider pinning dependency versions in controlled environments.