v1.0.21

B站 (bilibili) 热门视频监控

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:18 AM.

Analysis

The skill’s Bilibili report workflow is coherent, but it asks for powerful account and email credentials and stores them locally without declaring that credential scope.

GuidanceReview carefully before installing. This does not show clear malicious exfiltration, but you should only run it if you are comfortable giving it Bilibili session cookies and Gmail sending credentials. Use dedicated/revocable credentials, avoid sharing bilibili-monitor.json, verify recipients, and prefer sanitized/plaintext email output.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

等待用户确认后，执行以下命令。 ... python3 {baseDir}/generate_report.py --config {baseDir}/bilibili-monitor.json --output /tmp/bilibili_report.md ... python3 {baseDir}/send_email.py --config {baseDir}/bilibili-monitor.json --body-file /tmp/bilibili_report.md --html

The workflow runs local Python scripts and sends email, which is central to the skill and gated by user confirmation, but it is still a side-effecting action users should review.

User impactAfter confirmation, the skill can generate files, contact external services, and send messages to the configured recipients.

RecommendationConfirm the recipients and config before execution, and run it from the expected skill directory.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

requirements.txt

requests>=2.28.0

The runtime dependency is specified as an open version range, and the registry has no install spec; this is common for Python tooling but is less reproducible than pinned dependencies.

User impactDifferent installs could resolve to different requests versions.

RecommendationPin dependency versions or provide a lockfile/install spec for reproducible installs.

Cascading Failures

SeverityMediumConfidenceMediumStatusConcern

send_email.py

html_parts.append(f'<div class="video-title"><span class="num">{num}</span>{title}</div>') ... html_parts.append(f'<div class="quote">{content}</div>') ... html_parts.append(f'<p>{text}</p>')

Report text is interpolated directly into HTML email output without visible HTML escaping; because the report includes external Bilibili/AI-generated content, untrusted text could alter the rendered email sent to all recipients.

User impactA malicious or malformed title, description, subtitle-derived summary, or model output could change how the email renders or mislead recipients.

RecommendationEscape or sanitize all report fields before HTML rendering, whitelist links, or send plaintext reports by default.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

请提供 B站 Cookies ... 请提供 OpenRouter API Key ... 请提供 Gmail 应用密码（16位） ... cat > {baseDir}/bilibili-monitor.json ... "cookies": "COOKIES值" ... "smtp_password": "SMTP_PASSWORD值"

The skill collects a full Bilibili browser cookie, an AI API key, and Gmail SMTP credentials, then persists them in a local JSON config; this is high-impact credential authority and is not reflected in the registry credential declarations.

User impactRunning the skill gives it enough information to use the user’s Bilibili session, spend/use an OpenRouter key, and send email as the configured Gmail account. If the config file is exposed, those credentials could be reused.

RecommendationPrefer environment variables or an OS keychain, use the minimum Bilibili cookie/token needed, use a dedicated Gmail app password, restrict file permissions, declare credentials in metadata, and rotate credentials if the config is shared or exposed.