ClawHub

Bili Summary

v1.0.0

Download Bilibili videos, extract or transcribe subtitles, and generate AI-powered detailed summaries using Gemini 2.5 Flash.

0· 659·2 current·2 all-time
byXuanyu Chen@lava-chen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's code and SKILL.md align with the described purpose: it uses yt-dlp to download Bilibili content, faster-whisper for transcription, and the Gemini generativelanguage API for summaries. That capability set is coherent for a 'Bili Summary' tool. However, the skill metadata published in the registry declares no required env vars or install spec while the SKILL.md and script clearly require yt-dlp, Python packages (yt-dlp, faster-whisper), and a GEMINI_API_KEY — this metadata mismatch is unexpected.
!
Instruction Scope
The SKILL.md instructs the agent to read GEMINI_API_KEY from the environment and to install/run yt-dlp and faster-whisper; the included script reads the same env var and performs network calls to Bilibili and Google. The instructions and code stay within the stated purpose, but they reference an environment secret (GEMINI_API_KEY) that is not declared in the registry metadata. The SKILL.md also contains contradictory statements about whether audio/subtitle files are auto-deleted and shows a different workspace path than the script (~/openclaw vs ~/.openclaw), which increases risk of accidental data retention or confusion.
Install Mechanism
There is no formal install spec in the registry (instruction-only in practice). SKILL.md recommends pip installing yt-dlp and faster-whisper — these are well-known packages (moderate trust). The faster-whisper/Whisper model usage implies automatic model weight downloads (e.g., from Hugging Face) and significant disk/network activity; this is expected for transcription but should be documented. No arbitrary or obfuscated remote code sources are used in the included script.
!
Credentials
The only runtime secret the implementation requires is GEMINI_API_KEY, which is appropriate for calling the Gemini API. However, the registry metadata does not declare this required env var (declares none), creating an inconsistency. The script places the API key on the request URL as ?key=..., which can leak the key in logs or browser history if not handled carefully. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true or other privileged persistence. It writes temporary files into a workspace directory under the user's home and does not alter other skills or system-wide settings. The script may retain audio/subtitle files by default (the documentation is contradictory), so files can persist on disk until manually removed.
What to consider before installing
What to check before installing/using this skill: - Confirm you are comfortable supplying a GEMINI_API_KEY: the runtime requires GEMINI_API_KEY (used to call Generative Language API). The registry metadata did NOT declare this requirement — expect to set it manually. - Expect network activity and file writes: the script downloads video/audio, may download Whisper model weights (faster-whisper will fetch models), and writes output under your home workspace (~/.openclaw/workspace/coding-agent/temp/bili-summary). Ensure you have disk space and are okay storing these files. - Key handling caution: the code places the API key in the request URL (?key=...), which can be exposed in logs; consider using a short-lived key or running in an isolated environment. - Clean-up behaviour: SKILL.md and the script disagree about auto-deletion. Assume audio/subtitle files may persist and delete them manually or run the tool in a disposable/sandboxed directory. - Confirm you have yt-dlp and Python environment, or run pip install yt-dlp faster-whisper as recommended. Be prepared for model downloads when transcribing. - If you need higher assurance: review the included script locally, run it in a container or VM with limited network/credentials, and test with a non-critical Gemini key. If the missing registry declarations or contradictory docs matter to your security posture, contact the skill author or avoid installing until corrected.

Like a lobster shell, security has layers — review code before you run it.

latestvk976w8xpgb6td370rynsfvqdcx81wjaf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments