ClawHub

bilibili-upload

ReviewAudited by ClawScan on May 10, 2026.

Overview

This appears to be a straightforward Bilibili video uploader, but it uses a saved Bilibili login and an external uploader package, so users should confirm exactly what will be uploaded.

Use this skill only if you intend to let the agent upload videos to your Bilibili account. Log in manually on a trusted machine, verify the biliup package you install, and always review the selected video file and upload metadata before running the command.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium
#ASI02: Tool Misuse and Exploitation
What this means

If run with the wrong file or metadata, the agent could upload unintended content to the user's Bilibili account.

Why it was flagged

The script invokes an external CLI to upload a user-specified file and metadata to Bilibili. This is aligned with the skill purpose, but it can publish or change content on the user's account.

Skill content
cmd = [
        'biliup', 'upload',
        '--title', args.title,
        '--desc', args.desc,
        '--tag', args.tags,
        '--tid', str(args.tid),
        video_path
    ]
Recommendation

Confirm the exact video path, title, description, tags, and partition before allowing an upload.

Medium
#ASI03: Identity and Privilege Abuse
What this means

Anyone or any agent process with access to the saved Bilibili session may be able to upload under the user's account until the session is revoked or expires.

Why it was flagged

The skill relies on a persistent Bilibili login session. This is expected for uploading, but the saved session can continue authorizing uploads later.

Skill content
Login cookies are saved locally for future use
Recommendation

Log in only on a trusted machine, protect the local biliup cookies/session files, and revoke or refresh the Bilibili session if access is no longer needed.

Low
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

The actual upload behavior depends on the installed biliup package version and provenance.

Why it was flagged

The skill depends on an external package/CLI that is not included in the artifact and is not pinned in the provided install metadata. This is purpose-aligned, but the dependency itself is outside this review.

Skill content
`biliup` package (installed automatically: `pip install biliup`)
Recommendation

Install biliup from a trusted source, consider pinning a known-good version, and review its behavior before using it with your Bilibili account.