bilibili 热门视频推荐排行榜
AdvisoryAudited by VirusTotal on Apr 2, 2026.
Overview
Type: OpenClaw Skill Name: bilibili-hot-recommend Version: 1.0.2 The script `scripts/bilibili-hot-recommand.py` routes requests through a third-party proxy domain (lvhomeproxy2.dpdns.org) instead of the official Bilibili API. While this is likely intended to bypass Bilibili's anti-bot protections or authentication requirements, using an unverified intermediary for data retrieval is a security risk. No evidence of data exfiltration, malicious execution, or prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may think the agent is only contacting Bilibili, while the request and resulting recommendation data are actually mediated by an unknown third party.
The skill describes fetching Bilibili hot recommendations, but the code obtains results from an undisclosed third-party dynamic-DNS proxy rather than a Bilibili domain. This creates unclear provenance for both the network destination and returned links/content.
base_url = "https://lvhomeproxy2.dpdns.org"
Disclose the proxy in SKILL.md and metadata, explain why it is needed, or use an official/direct Bilibili endpoint where possible. Users should review this endpoint before installing.
The skill may fail unless the Python requests package is already installed, and the dependency is not captured in the formal install metadata.
The documentation says the script depends on requests, but the registry requirements list no required binaries, env vars, or install spec. This is under-declared setup information, though requests is expected for a Python web-fetching script.
脚本依赖:需要安装requests 库,可通过pip3 install requests 自动安装
Declare the Python dependency in the install/metadata contract and ensure any setup instructions are explicit and user-approved.