ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

YouTube/B站 视频搜索下载

v1.0.0

多站点视频搜索、下载、字幕提取工具。支持 YouTube、B站(Bilibili)等主流平台。 结合 YouTube Data API v3 进行高级搜索,yt-dlp 下载视频/音频/字幕。 核心能力:全站关键词搜索、频道浏览、按时间/播放量/相关度排序、下载视频、提取音频(MP3)、下载字幕(中英文)、查看视...

0· 88·3 current·3 all-time
by@joppyao-bit
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The description advertises multi-site support (YouTube and Bilibili) and advanced search, and the code and SKILL.md clearly implement YouTube Data API search + yt-dlp downloads. However: (1) the registry metadata lists no required environment variables even though the tool needs an API key (YT_BROWSE_API_KEY or YOUTUBE_API_KEY); (2) Bilibili search/browsing capability is claimed in README/SKILL.md but the provided script only calls YouTube APIs and formats YouTube URLs (no Bilibili API/search implementation). These are functional mismatches that could surprise users.
Instruction Scope
SKILL.md prescribes using the script at ~/.claude/skills/… and running yt-dlp commands (including --cookies-from-browser chrome) and auto-translating titles without asking the user. The download/subtitle instructions will cause the agent to: call Google APIs, run yt-dlp (which may access browser cookies), write .srt/.txt files to ~/Downloads, and post-process SRT into TXT via a small Python snippet. These actions are consistent with download tasks but the forced translation behavior (must replace '【译】___' without asking) is a policy/scope decision the user should be aware of.
Install Mechanism
No install spec is provided (instruction-only skill with included script file). No external archives or untrusted downloads are specified. The only runtime dependency (yt-dlp) is a common third‑party tool the SKILL.md asks the user to install via brew/pip — no hidden installer URLs or extract steps present.
!
Credentials
The code requires a YouTube API key (reads YT_BROWSE_API_KEY or YOUTUBE_API_KEY) but the registry metadata declared no required env vars — an inconsistency. Besides that, the skill does not request other credentials. Note: instructions encourage yt-dlp's --cookies-from-browser which can access browser cookies (sensitive), so users should understand that downloading certain videos may cause access to local browser profile data via yt-dlp.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It will store its script under the skills directory (normal). It can be invoked autonomously (default), which is expected for skills, but that is not combined here with elevated privileges or hidden credentials.
What to consider before installing
Before installing: (1) realize the skill requires a YouTube API key (set YT_BROWSE_API_KEY or YOUTUBE_API_KEY) — the registry metadata omitted this, so it may fail if you don't provide it; (2) the README claims Bilibili support but the included script only implements YouTube search (you can still use yt-dlp to download Bilibili URLs, but channel/search features for Bilibili are not implemented); (3) the tool runs yt-dlp and recommends --cookies-from-browser, which can read browser cookies/profiles — only allow that if you trust the code and understand the privacy implications; (4) the skill will write downloads and generated .srt/.txt files to your Downloads directory; (5) if you care about safety, review scripts/yt_search.py locally (it uses subprocess.run without shell=True and uses the official Google Data API endpoints, which is good) and confirm you are comfortable with the forced auto-translation behavior specified in SKILL.md. If anything above is unexpected, don't install or run the skill until the author corrects the metadata and clarifies Bilibili support and cookie usage.

Like a lobster shell, security has layers — review code before you run it.

bilibilivk977b11663stfn6ed3gcdz1chn839ep4downloadvk977b11663stfn6ed3gcdz1chn839ep4latestvk977b11663stfn6ed3gcdz1chn839ep4subtitlevk977b11663stfn6ed3gcdz1chn839ep4videovk977b11663stfn6ed3gcdz1chn839ep4youtubevk977b11663stfn6ed3gcdz1chn839ep4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments