B站 (bilibili) 热门视频监控
生成B站热门视频日报并发送邮件。触发词:B站热门、bilibili日报、视频日报、热门视频
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 15 · 4.9k · 10 current installs · 10 all-time installs
byJacob_code@Jacobzwj
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code and SKILL.md match the stated purpose: retrieving B站 popular videos, extracting subtitles, calling an LLM (OpenRouter) to produce summaries, and sending an HTML email via SMTP. Required binaries (python3) and dependencies (requests) are proportionate. However the registry metadata lists no required env vars/credentials while the README/SKILL.md and scripts clearly expect BILIBILI cookies, an OpenRouter API key, and SMTP credentials — an inconsistency that should be resolved.
Instruction Scope
SKILL.md explicitly instructs the agent/user to collect highly sensitive data (full B站 cookies/SESSDATA, OpenRouter API key, Gmail app password) and to write them to a local config file. Those actions are within the functional scope but are sensitive; the document also contains agent-specific runtime directives (how the agent should relay progress and not send intermediary messages) and a pre-scan prompt-injection signal (unicode-control-chars). The instructions give broad freedom to prompt the user for secrets and save them, which is appropriate for the task but risky if the agent is allowed to run autonomously or if users don't understand the implications.
Install Mechanism
No remote install or download is declared (instruction-only with bundled Python scripts). That lowers supply-chain risk compared with arbitrary URL downloads. Dependencies are minimal (requests). The skill ships code files rather than installing from external sources.
Credentials
The sensitive credentials requested (BILIBILI cookies, OPENROUTER API key, SMTP_EMAIL and SMTP_PASSWORD) are functionally justified for the stated tasks. However the skill registry metadata did not declare these required env vars, creating a mismatch. Requiring a full browser cookie (SESSDATA) and an SMTP app password are high-sensitivity operations — they are proportionate to the feature set but warrant careful handling and user awareness.
Persistence & Privilege
The skill does not set always:true, but it also did not set disableModelInvocation:true — by default the model can invoke the skill. Given the skill's ability to request and accept secrets (via prompts or env vars) and to call external services (openrouter.ai, bilibili APIs, SMTP), allowing autonomous invocations increases risk. If you want to prevent the model from autonomously triggering credential prompts or executions, consider disabling model invocation or requiring explicit user invocation.
Scan Findings in Context
[unicode-control-chars] unexpected: Scanner detected unicode control characters in SKILL.md (a common prompt-injection technique). There is no legitimate reason for hidden control characters in a README/instruction file; this should be inspected and removed. It may be an attempt to manipulate agent behavior or evaluation output.
What to consider before installing
What to consider before installing or running this skill:
- The skill legitimately needs: B站 session cookies (SESSDATA) to access some subtitles, an OpenRouter API key to run LLM summarization, and an SMTP email + app password to send mail. These are sensitive credentials — only provide them if you trust the code and run it on a machine you control.
- Metadata mismatch: the registry lists no required env vars even though README/SKILL.md/code expect multiple secrets. Treat that as a red flag and ask the publisher to correct metadata.
- Prompt-injection signal: SKILL.md contained unicode control characters. Inspect SKILL.md and other files for hidden/control characters or other suspicious strings before use; remove them if present.
- Minimize blast radius: if you must test, run the scripts locally in an isolated environment (VM/container) and use throwaway credentials where possible (create a dedicated Gmail account and an app-specific password; use a disposable OpenRouter key with limited quota). Do not paste your primary B站 cookies on untrusted systems — consider skipping cookies and allow the tool to run in a reduced mode (no protected subtitles) if possible.
- Autonomy: the skill allows model invocation by default. If you do not want the agent to autonomously request/persist secrets or run the scripts, set disableModelInvocation:true or require explicit user invocation.
- Code review: scan the code for any unexpected network destinations. The visible endpoints are bilibili API, https://openrouter.ai, and SMTP host (default smtp.gmail.com). If you see other endpoints or obfuscated network calls, do not proceed.
What would change this assessment: if the publisher updates registry metadata to declare required env vars, removes hidden control characters from SKILL.md, and documents explicit safeguards that prevent the model from autonomously requesting or storing credentials (or sets disableModelInvocation:true), the skill would move toward 'benign'. Conversely, hidden exfiltration code or remote downloads would increase the severity.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.21
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📺 Clawdis
OSmacOS · Linux · Windows
Binspython3
SKILL.md
B站热门视频日报
🔒 安全说明
- 所有凭据仅存储在用户本地设备上,Skill 发布包中不包含任何凭据
- 配置文件
bilibili-monitor.json已通过.gitignore排除,不会被意外上传或分享 - 网络传输使用 HTTPS 和 TLS/STARTTLS 加密
- 同时支持环境变量和命令行参数传递凭据,用户可自行选择
执行流程(分步询问)
检查配置文件
首先检查是否存在配置文件:
test -f {baseDir}/bilibili-monitor.json && echo "CONFIG_EXISTS" || echo "CONFIG_NOT_EXISTS"
- 如果输出
CONFIG_EXISTS→ 跳到【直接执行】 - 如果输出
CONFIG_NOT_EXISTS→ 进入【分步创建配置】
分步创建配置(首次使用)
第1步:询问 B站 Cookies
请提供 B站 Cookies:
(获取方法:登录B站首页 → F12 → Network选项卡 → 刷新页面 → 点击 www.bilibili.com 请求 → 找到 Request Headers 中的 Cookie 字段 → 复制整个值)
等待用户回复,保存为变量 COOKIES
第2步:询问 AI 服务
AI 功能说明:
- 需要 OpenRouter API Key
- 用于生成视频内容总结(基于字幕)和 AI 点评
是否启用 AI 功能?
1 = 是(推荐,需要 OpenRouter API Key)
2 = 否(将无法生成视频总结和点评)
请回复数字:
等待用户回复
第3步:如果选了 1(启用 AI)
请选择模型:
1 = Gemini(推荐,便宜快速)
2 = Claude(高质量)
3 = GPT
4 = DeepSeek(性价比)
等待用户回复,然后:
请提供 OpenRouter API Key:
获取地址:https://openrouter.ai/keys
保存为 OPENROUTER_KEY 和 MODEL
第4步:询问发件邮箱
请提供 Gmail 发件邮箱:
等待用户回复,保存为 SMTP_EMAIL
第5步:询问应用密码
请提供 Gmail 应用密码(16位):
获取地址:https://myaccount.google.com/apppasswords
保存为 SMTP_PASSWORD
第6步:询问收件人
请提供收件人邮箱(多个用逗号分隔):
保存为 RECIPIENTS
第7步:生成配置文件
根据收集的信息创建配置文件:
cat > {baseDir}/bilibili-monitor.json << 'EOF'
{
"bilibili": {
"cookies": "COOKIES值"
},
"ai": {
"openrouter_key": "OPENROUTER_KEY值或空",
"model": "MODEL值"
},
"email": {
"smtp_email": "SMTP_EMAIL值",
"smtp_password": "SMTP_PASSWORD值",
"recipients": ["收件人1", "收件人2"]
},
"report": {"num_videos": 10}
}
EOF
确认并执行
向用户展示确认信息:
✅ 配置已就绪
🚀 即将开始执行:获取热门视频 → 提取字幕 → AI生成总结和点评 → 发送邮件
⏱️ 预计耗时:10-15 分钟,请耐心等待
是否开始执行?
等待用户确认后,执行以下命令。
⚠️ AI Agent 注意事项:
- 脚本执行需要 10-15 分钟,这是正常的,请设置超时 900 秒以上
- 脚本会在 25%、50%、75%、100% 时自动输出进度,请只转发脚本实际输出
- 不要在等待期间发送"等待中..."、"继续等待..."等自定义消息,会导致刷屏
- 执行完成后再向用户汇报结果即可
生成报告:
python3 {baseDir}/generate_report.py --config {baseDir}/bilibili-monitor.json --output /tmp/bilibili_report.md
发送邮件(邮件标题自动使用当前日期):
python3 {baseDir}/send_email.py --config {baseDir}/bilibili-monitor.json --body-file /tmp/bilibili_report.md --html
OpenRouter 模型映射
| 用户选择 | model 值 |
|---|---|
| 1 / Gemini | google/gemini-3-flash-preview |
| 2 / Claude | anthropic/claude-sonnet-4.5 |
| 3 / GPT | openai/gpt-5.2-chat |
| 4 / DeepSeek | deepseek/deepseek-chat-v3-0324 |
配置文件示例
见 bilibili-monitor.example.json
⏱️ 执行时间
| 阶段 | 预计时间 |
|---|---|
| 获取视频列表 | 5-10 秒 |
| 字幕提取+AI总结(20个视频) | 2-3 分钟 |
| AI点评(20个视频) | 8-12 分钟 |
| 生成报告+发送邮件 | 10-20 秒 |
| 总计 | 10-15 分钟 |
⚠️ 完整执行需要 10-15 分钟,请确保命令超时设置足够长(建议 900 秒以上)。
⚠️ 重要提示
AI 视频总结说明:
- 视频总结基于字幕生成,需要视频有字幕(CC字幕或AI字幕)
- 部分视频可能没有字幕,这些视频将无法生成总结
- 推荐启用 AI 功能以获得完整的视频分析体验
- 需要 OpenRouter API Key(支持 Gemini、Claude、GPT、DeepSeek 等模型)
Files
10 totalSelect a file
Select a file to preview.
Comments
Loading comments…