ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Bilibili Garb

v1.0.1

Bilibili garb (个性装扮) data collection and management. Search garb items, query suit/collection details, scan benefit data for owned items (including discontin...

0· 92·0 current·0 all-time
by@kuangzhanzhiwang

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for kuangzhanzhiwang/bilibili-garb.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Bilibili Garb" (kuangzhanzhiwang/bilibili-garb) from ClawHub.
Skill page: https://clawhub.ai/kuangzhanzhiwang/bilibili-garb
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install kuangzhanzhiwang/bilibili-garb

ClawHub CLI

Package manager switcher

npx clawhub@latest install bilibili-garb
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match what the scripts do: search, query, and scan Bilibili 'garb' endpoints and local gallery DBs. However, the registry metadata declares no required environment variables or primary credential while the SKILL.md and scripts clearly require sensitive Bilibili credentials (access_key, SESSDATA, bili_jct, appsecret). The credentials are relevant to the functionality but their absence from the declared requirements is an inconsistency.
!
Instruction Scope
The runtime instructions and scripts instruct the user/agent to read local workspace files (configs/bili-api-creds.json, data/decorations-database.json, optional local card/suit DB files) and to perform authenticated calls to Bilibili APIs. Critically, the SKILL.md explicitly advises obtaining credentials by capturing mobile-app traffic with mitmproxy/Charles—this is sensitive operational guidance that goes beyond routine setup and could be misused. The scripts themselves call only official api.bilibili.com endpoints and write results locally (ndjson/progress files), so there is no obvious hidden exfiltration endpoint, but the instructions for harvesting credentials are high-risk.
Install Mechanism
No install spec is provided (instruction-only with included scripts). Nothing is downloaded or installed by an automated installer; code is run locally. This is lower risk than arbitrary network installs, but running included scripts still executes code on the host.
!
Credentials
The skill requires high-sensitivity secrets used to authenticate as a Bilibili user (access_key, SESSDATA, bili_jct, appsecret). Those are proportionate to calling signed Bilibili endpoints, but the package metadata did not declare these required env vars or a primary credential. The instruction to capture these secrets via network interception increases risk. Users should assume possession of full account-level access is needed for the script to function and so must protect these secrets accordingly.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It reads/writes files within its workspace (data/, configs/) but does not attempt to modify other skills or system-wide settings.
What to consider before installing
This skill appears to do what it says (query Bilibili garb APIs, use local gallery DBs, and write NDJSON results), but there are two practical concerns to weigh before installing: (1) It needs highly sensitive Bilibili credentials (access_key, SESSDATA, bili_jct, appsecret). Those give access to user-specific API data; treat them like passwords and only run the scripts on a trusted machine. (2) The SKILL.md explicitly tells you to capture credentials from the mobile app via mitmproxy/Charles. That technique works for obtaining tokens but is sensitive and can capture other users' secrets if misused—only proceed if you control the account and understand the legal/ethical implications. Additional checks you can do: inspect the scripts line-by-line (they call only api.bilibili.com and write local files), ensure credentials are stored securely (not world-readable), run the tools in an isolated environment, and consider rotating or revoking tokens after use. The metadata omission (no declared env vars/primary credential) is a red flag—ask the publisher to list required credentials explicitly or provide a signed provenance for the package. If the author can provide justification for not declaring env vars or a trusted source/homepage, that would reduce concern.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d3xx7kdjjqmkeshv71v7fc184pjpg
92downloads
0stars
2versions
Updated 1w ago
v1.0.1
MIT-0
@kuangzhanzhiwang
latest
Download

Bilibili Garb (B站个性装扮)

Collect and manage Bilibili personalization items: garb suits, digital card collections, and benefit sub-items.

Setup

All authentication credentials are read from environment variables or a config file. Create configs/bili-api-creds.json in your workspace:

{
  "appkey": "27eb53fc9058f8c3",
  "appsecret": "<obtain from Bilibili mobile client>",
  "access_key": "<your access_key>",
  "csrf": "<your bili_jct>",
  "DedeUserID": "<your uid>",
  "SESSDATA": "<your SESSDATA>"
}

Or export environment variables:

export BILI_SESSDATA="<your SESSDATA>"
export BILI_ACCESS_KEY="<your access_key>"
export BILI_CSRF="<your bili_jct>"
export BILI_UID="<your uid>"

How to obtain credentials: Capture from Bilibili mobile app HTTP traffic (e.g., mitmproxy, Charles). The access_key expires periodically and must be refreshed.

Commands

Search Garb Items

bash scripts/bilibili-garb-search.sh "关键词"

Searches both the official API and a local gallery database. Outputs Markdown with:

  • Collection items (收藏集) with biz_id
  • Suit items (套装) with item_id
  • Discontinued items from local gallery marked [藏馆-绝版]

Query Collection/Suit Details

bash scripts/bilibili-garb-collection.sh -i <ID>
  • ID ≤ 6 digits → collection (收藏集) mode
  • ID > 6 digits → suit (套装) mode
  • Falls back to local gallery database for discontinued items

Scan Benefit Data

python3 scripts/garb-benefit-scan.py [options]

Scans owned garb items from data/decorations-database.json, calls benefit API for each, and appends results to data/garb-benefit-results.ndjson.

Options:

  • --limit N — process only N items
  • --dry-run — show what would be scanned without making API calls
  • --force — rescan items that already have benefit data
  • --debug — output full API responses

Supports resume (Ctrl+C safe) and deduplication.

Key API Knowledge

See references/bilibili-garb-api-reference.md for full API documentation.

Critical points:

  1. Benefit API (/x/garb/v2/user/suit/benefit) is the only way to get data for discontinued items. Requires sign authentication.
  2. DIY suits: When item_id contains a hyphen (e.g., 1775103232001-0), pass biz_id as the item_id parameter instead — the original item_id returns -400.
  3. part parameter: Only one call with part=space_bg returns all 9 sub-item types. No need to iterate.
  4. Scarcity tiers: Use item_list API's scarcity field as the primary source. When scarcity_rate=2 and rate2_count==1, default to small-hidden (30), do not auto-upgrade to large-hidden.
  5. DLC avatar frames: Must come from lottery_home_detail, never from collection's own frame/frame_image.

Standard Operating Procedure

See references/bilibili-garb-sop.md for step-by-step workflows.

Comments

Loading comments...