B站视频转文字&总结神器-Bilibili video transcribe&summary
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is generally consistent with transcribing and summarizing Bilibili videos, but it downloads media, stores outputs locally, and may upload audio to SiliconFlow using your API key.
This looks purpose-aligned for Bilibili transcription and summarization. Before using it, make sure you are comfortable sending video audio to SiliconFlow when official subtitles are unavailable, store outputs in a private folder, and avoid using it on non-Bilibili URLs unless the script is tightened to enforce that scope.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If misused outside the intended trigger, the script could fetch non-Bilibili URLs from the user's environment.
The script converts BV IDs to Bilibili URLs but otherwise accepts any syntactically valid URL. This is broader than the SKILL.md trigger, which says to use the skill for Bilibili links, BV IDs, or b23.tv short links.
if (/^BV[0-9A-Za-z]+$/i.test(value)) { ... } ... const url = new URL(value); return url.toString();Use it only for Bilibili/BV/b23.tv inputs, or update the script to enforce an allowlist for bilibili.com and b23.tv hosts.
Using ASR can consume the user's SiliconFlow account quota or billing and depends on protecting that API key.
The script uses the user's SiliconFlow API key to authenticate transcription requests. This is disclosed and purpose-aligned for ASR, and the visible code does not show logging or unrelated use of the key.
headers: { Authorization: `Bearer ${apiKey}` }Provide the key only when ASR is needed, prefer an environment variable over pasting keys into command lines, and monitor SiliconFlow usage.
Video audio may be sent to a third-party transcription provider for processing.
When no official subtitles are available and an API key exists, the script uploads the downloaded audio file to SiliconFlow for transcription. This external provider flow is disclosed in SKILL.md and matches the purpose.
form.append("file", new Blob([buffer], { type: "audio/mpeg" }), "audio.mp3"); ... fetch("https://api.siliconflow.cn/v1/audio/transcriptions", { method: "POST"Only use ASR for videos you are comfortable sending to SiliconFlow, and review SiliconFlow's privacy and retention terms if the content is sensitive.
Transcripts or audio files may remain on disk and could be read later by anyone with access to that output directory.
The skill persists downloaded audio, transcription results, final transcript text, and a readiness marker in the output directory. This is expected for the workflow, but it leaves local artifacts after the task.
脚本会在输出目录写入:`probe_result.json` ... `audio.mp3` ... `transcription_result.json` ... `transcript.txt` ... `.skill-ready.json`
Choose a private output directory and delete audio/transcript files after use if the video content is sensitive.
Users have less external provenance information for independently verifying the skill's origin.
The package does not provide a known source repository or install spec. The included static scan is clean, but provenance is limited.
Source: unknown; Install specifications: No install spec — this is an instruction-only skill.
Review the full packaged script before high-trust use, especially because this review view shows the script content as truncated.