Bilibili Notion Pipeline Skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill’s workflow matches its stated Bilibili-to-Notion purpose, but it uses undeclared credentials/session files and can upload video and modify Notion content, so it should be reviewed before use.
Use this only if you are comfortable granting a Notion integration access to the target database/page and sending the downloaded mp4 to the configured upload service. Set credentials explicitly, prefer least-privilege tokens, avoid broad cookie files, and verify the cleanup mode before running.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or running this may require giving the skill access to your Notion workspace, an upload backend, and possibly Bilibili session cookies.
The script consumes Notion credentials, an upload token, and an optional Bilibili cookie file, while the registry metadata declares no required env vars and no primary credential. These credentials are purpose-related, but they grant account/session authority that is under-disclosed.
NOTION_API_KEY = os.getenv("NOTION_API_KEY", "")
NOTION_DATABASE_ID = os.getenv("NOTION_DATABASE_ID", "")
UPLOAD_TOKEN = os.getenv("UPLOAD_TOKEN", "")
BILI_COOKIES_FILE = os.getenv("BILI_COOKIES_FILE", "")Declare these credentials in metadata, use least-privilege Notion integrations, avoid broad browser cookie exports, and confirm exactly which database/page and upload service will be used.
A single run can publish a video to the configured upload backend, write persistent Notion content, and remove temporary local files.
The main command intentionally chains video upload, Notion page creation/update, block writing, and cleanup. This is aligned with the skill purpose, but it is a broad multi-step workflow that users should invoke deliberately.
`run` 会按顺序执行: ... 上传视频 ... 创建 / 更新 Notion 页面 ... 写入正文 blocks ... 清理本地中间文件
Before using the one-command run mode, confirm the target Notion database/page, upload backend, cleanup mode, and whether any existing content may be changed.
The downloaded video may be sent to a third-party or self-hosted upload service and receive a public download URL.
The script uploads the selected mp4 to whatever UPLOAD_URL is configured and authenticates with UPLOAD_TOKEN. This is disclosed by the pipeline purpose, but the destination is environment-controlled and should be trusted.
resp = requests.post(
UPLOAD_URL,
headers={"Authorization": f"Bearer {UPLOAD_TOKEN}"},
files={"file": (video_path.name, fh, "video/mp4")},Use only a trusted upload endpoint, understand whether the returned URL is public, and avoid uploading private or copyrighted material unless you intend to.
The skill may fail unless the right packages and binaries are already installed, and users must source those dependencies themselves.
The code depends on external Python packages and local media/ASR binaries, but the registry reports no install spec and no required binaries. This is a dependency/provenance gap users should account for.
import requests from yt_dlp import YoutubeDL ... "ffmpeg", "-y", "-i", str(video_path), ... "ffprobe", "-v", "error",
Add an install spec or clear setup documentation with pinned versions for Python dependencies and required tools such as ffmpeg/ffprobe and Whisper/faster-whisper.
Running the skill will execute local tools such as ffmpeg, ffprobe, and possibly Whisper on your machine.
The skill executes local commands for media processing and transcription. The visible calls use argument lists rather than shell strings and are central to the stated purpose.
def run(cmd: List[str]) -> None:
subprocess.run(cmd, check=True)Install these tools from trusted sources and run the skill in an environment where media-processing command execution is acceptable.