Bilibili Video Summary
PassAudited by VirusTotal on May 8, 2026.
Overview
Type: OpenClaw Skill Name: bilibili-video-summary Version: 1.0.0 The skill bundle is a legitimate tool for extracting and summarizing Bilibili video content. The core logic in `bili-transcript.py` uses well-known utilities like `yt-dlp` and `whisper.cpp` to fetch metadata, subtitles, and transcribe audio. The script handles subprocess calls safely using lists rather than shell strings, and there is no evidence of data exfiltration, credential theft, or malicious prompt injection in `SKILL.md`. All network activity is directed toward Bilibili APIs as expected for the stated functionality.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill runs local code and helper tools such as yt-dlp and whisper-cli on the user's machine.
The skill instructs the agent to run a local Python script, which is expected for extracting and transcribing video content.
python bili-transcript.py "<video_url>"
Use trusted copies of the script and dependencies, and run it only for videos you intend to process locally.
Dependency behavior may vary depending on what versions are installed, and external binaries/models should come from trusted sources.
The Python dependencies use lower-bound version ranges rather than pinned versions, and the README also expects a separately downloaded whisper.cpp binary/model.
yt-dlp>=2024.0 av>=10.0.0
Install dependencies from trusted package indexes, consider pinning versions, and download whisper.cpp/model files only from reputable releases.
If the user configures yt-dlp or the environment with authenticated Bilibili access, the tool may process restricted account-accessible content.
The documentation acknowledges that some Bilibili content may require login, although the artifacts do not show explicit credential collection or token handling.
Some content requires login (paid courses, restricted videos) — may fail
Avoid exposing browser cookies or authenticated profiles unless necessary, and understand what account-accessible content the tool may fetch.
Transcript and comment data remains on disk after the run and may include public usernames, comments, or restricted-video content if authenticated access is used.
The skill stores retrieved video transcripts and community content locally for the agent to read and summarize.
Output files are saved to `./bili-output/`: `transcript.txt`, `danmaku.json`, `comments.json`
Delete output files when no longer needed, and treat transcript/comment text as untrusted content to summarize rather than instructions to follow.