ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Bilibili Transcriber

v1.0.0

Bilibili视频转文字摘要专家。支持云端(阿里云Paraformer)和本地(faster-whisper)双引擎转录。当用户提供B站视频URL时,自动下载音频、转录成文字、生成结构化摘要。支持BV号和完整URL。

0· 67·0 current·0 all-time
by@guorui303
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code: modules implement Bilibili metadata fetch, subtitle fetching, audio download, local faster-whisper transcription, and an optional cloud Paraformer flow. The presence of model download logic, model selection heuristics, and yt-dlp/ffmpeg usage is coherent for the described goal.
Instruction Scope
SKILL.md and the Python modules consistently instruct: check for B站 CC subtitles first, otherwise download audio (yt_dlp), optionally convert with ffmpeg, transcribe locally or upload to cloud Paraformer, then produce a Markdown summary. The instructions reference environment variables (DASHSCOPE_API_KEY, OPENAI_API_KEY) and recommend pip installs; these actions stay within the stated purpose (they do network I/O, file I/O, and model downloads which are expected for transcription).
Install Mechanism
There is no formal install spec in the registry (instruction-only), but included code performs model downloads at runtime (ModelScope/snapshot_download and setting HF mirror), uses pip-installable packages (faster-whisper, yt-dlp, dashscope), and expects ffmpeg installed separately. Runtime model downloads from third-party mirrors (hf-mirror.com / ModelScope) are common for large models but increase trust surface (you should trust those hosts).
!
Credentials
Registry metadata lists no required env vars, but both SKILL.md and cloud_transcriber.py require/expect DASHSCOPE_API_KEY or OPENAI_API_KEY for cloud Paraformer. The code will accept OPENAI_API_KEY as a fallback and send it as a Bearer token to dashscope.aliyuncs.com — this can cause accidental leakage of an OpenAI key to a third-party service if the user sets that variable. The skill also uploads audio (potentially sensitive) to an external cloud when cloud mode is used; that is functionally coherent but has privacy implications that are not surfaced in the registry metadata.
Persistence & Privilege
The skill is not always-enabled and does not request elevated system-wide privileges. It does cache models in the user's home cache directory (~/.cache/modelscope) and keeps model instances in memory while running (normal for a transcriber). No code modifies other skills or global agent settings.
What to consider before installing
This skill appears to implement the described Bilibili -> transcription -> summary flow, but take these precautions before installing: - Credential caution: The cloud path requires DASHSCOPE_API_KEY (Paraformer). The code will also accept OPENAI_API_KEY and send it as a Bearer token to dashscope.aliyuncs.com — do not set your OpenAI key as a convenience fallback unless you understand that it will be sent to a third party. - Privacy: Using cloud transcribe uploads your audio to dashscope.aliyuncs.com / OSS temporary storage. If the audio contains sensitive information, prefer the local faster-whisper path. - Model downloads and mirrors: The skill sets HF endpoint to a mirror and can download models via ModelScope/snapshot_download. Only proceed if you trust those hosts (hf-mirror.com / ModelScope / the model owners listed). Consider running in an isolated environment if you are concerned. - Registry mismatch: The registry metadata did not declare required environment variables, but the code and SKILL.md do. Treat the skill as requiring optional cloud credentials and verify any env vars before exporting them. - Operational safety: The skill runs network I/O (calls Bilibili APIs, downloads audio, posts to Paraformer, downloads models). Review the included Python files yourself or run the skill in a sandbox/VM if you have limited trust. If you only want local transcription, do not set DASHSCOPE_API_KEY / OPENAI_API_KEY and ensure faster-whisper, yt-dlp and ffmpeg are installed locally; then the skill will fall back to offline transcription.

Like a lobster shell, security has layers — review code before you run it.

latestvk976zdqakh7q78bb5vjdkkh4h983ckpj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments