Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Bilibili Subtitle Downloader
v1.0.0下载 Bilibili 视频字幕,将其进行分块以供 LLM(大语言模型)处理,并生成高质量的总结。当用户提供 Bilibili BV 号或 URL,并希望获取视频内容的总结、核心要点或详细的分解时使用。
⭐ 3· 2.7k·27 current·27 all-time
by达芬奇_Davinci@davincievans
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (download Bilibili subtitles and chunk for LLM summarization) matches the included scripts: they log in via Bilibili QR, call Bilibili APIs, download subtitles, and write chunk files. Required capabilities (network access, local file writes) are appropriate for this purpose.
Instruction Scope
SKILL.md instructs running the provided scripts and handling QR outputs; that matches script behavior. However SKILL.md claims cookies will be saved to ~/.openclaw/workspace/bilibili_cookie.txt for both workflows — in code, download_and_chunk.py does save a cookie string to ~/.openclaw/workspace/bilibili_cookie.txt, but cheese_downloader.py instead writes a JSON session file named 'bilibili_cheese_session.json' in the current working directory. The documentation vs implementation mismatch may confuse runtime behavior.
Install Mechanism
Instruction-only skill with bundled Python scripts; there is no external download/install step in the skill manifest. The scripts depend on Python packages (bilibili_api, qrcode, aiohttp, requests) but nothing in the manifest pulls arbitrary remote code during install.
Credentials
The scripts perform QR-based login and persist authentication cookies/credentials in plaintext files: download_and_chunk.py writes a cookie string to ~/.openclaw/workspace/bilibili_cookie.txt; cheese_downloader.py writes credential JSON to a local 'bilibili_cheese_session.json'. Storing SESSDATA/bili_jct/buvid3 in plain files is sensitive because those cookies can be used to impersonate your Bilibili account. No environment variables are requested, which is consistent, but the persistent local storage of credentials is a privacy/security concern and should be documented and protected.
Persistence & Privilege
The skill does not request global 'always: true' or elevated platform privileges. It writes files to bili_temp/ and to ~/.openclaw/workspace/ (cookie), and creates a session file in cwd. Writing its own session/cookie files is expected, but be aware these files persist unless removed and could be reused by the scripts later.
What to consider before installing
This skill appears to implement the advertised subtitle-download-and-chunking workflow, but you should:
- Review and understand the code before running. The scripts perform network calls to api.bilibili.com and save authentication cookies locally.
- Be cautious about scanning the QR: scanning logs your account into the running environment; only do so if you trust the code and environment.
- Note the inconsistency: one script saves cookies to ~/.openclaw/workspace/bilibili_cookie.txt, the other saves a JSON session to ./bilibili_cheese_session.json. That may affect subsequent runs—verify where credentials are stored and read.
- Treat the saved cookie/session files as sensitive: they contain tokens (SESSDATA, bili_jct, buvid3) that can be used to impersonate your account. Consider deleting these files after use or running the skill in an isolated environment.
- If you want stronger security, modify the scripts to encrypt stored credentials, store them in a secure credential store, or avoid persistent storage entirely.
If you do not fully trust the source, run the scripts in a disposable VM or container, and remove the cookie/session files after use.Like a lobster shell, security has layers — review code before you run it.
latestvk978pnqddn9wq080bv2x0veh6181h2y2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.