Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the declared runtime actions: it requires yt-dlp and an optional YT_DLP_PATH override to download Bilibili videos, and then delegates analysis to a video-analyze skill. Requests for yt-dlp are appropriate for a video-download parser.
Instruction Scope
SKILL.md is instruction-only and stays within expected boundaries (check yt-dlp, download to ./bilibili/videos, call doubao-video-analyze). It does instruct the agent to install/require another skill ('doubao-video-analyze') if missing and to create files under the workspace; those cross-skill install instructions are a functional dependency the user should be aware of. The doc references a workspace path placeholder ({YOUR_WORKSPACE_DIR}) that isn't declared in requires.env.
Install Mechanism
No install spec and no downloads are declared; this is an instruction-only skill (lowest install risk).
Credentials
Only YT_DLP_PATH is requested (and yt-dlp binary existence). This is proportionate for selecting a binary path. It's unusual that YT_DLP_PATH is marked as the 'primary credential' — it's a path, not a secret — so the metadata labeling is a minor inconsistency but not a functional problem.
Persistence & Privilege
always is false and the skill does not request permanent/global privileges. It does instruct the agent to install or call another skill at runtime, which could change the agent's capabilities if performed autonomously; that's a functional dependency rather than elevated privilege.
Assessment
This skill appears to do what it says (use yt-dlp to download a Bilibili video and hand the file to a video-analyze skill). Before installing/using it: 1) Ensure yt-dlp is installed from the official source (https://github.com/yt-dlp/yt-dlp) and that YT_DLP_PATH (if set) points to a trusted binary on disk. 2) Be aware the skill will create and write files under your workspace (./bilibili/videos); confirm you are comfortable with that. 3) The skill may try to install or call the separate 'doubao-video-analyze' skill — review that skill before allowing automatic installation or autonomous agent actions. 4) YT_DLP_PATH is a path, not a secret; avoid setting it to anything unexpected (e.g., remote URLs or wrappers you don't trust). If you want tighter control, disable autonomous invocation or require manual approval before the agent installs or invokes other skills.Like a lobster shell, security has layers — review code before you run it.
latestvk97etqmj66a57h7ycn0t3886wn82zwam
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📺 Clawdis
Binsyt-dlp
EnvYT_DLP_PATH
Primary envYT_DLP_PATH