Bilibili Fav Downloader

The skill largely implements a Bilibili favorites downloader, but there are multiple mismatches and incomplete metadata (wrong cookie guidance, undeclared environment variables, and default system paths), so proceed with caution and review before installing.

This skill appears to implement the described downloader, but there are multiple red flags you should address before installing or running it: - The cookie guide is wrong: it points to douyin.com and references TikTok-style cookie names (sessionid, ttwid) mixed with Bilibili SESSDATA. For Bilibili you should verify you are extracting SESSDATA / bili_jct from bilibili.com. Do not paste cookies from other sites. - The registry metadata does not declare environment variables, yet the script honors several (BILIBILI_COOKIE_FILE, BILIBILI_FAV_ID, BILIBILI_OUT_DIR, BILIBILI_TG_BOT_TOKEN, BILIBILI_TG_CHAT_ID). Treat the cookie file as sensitive — keep it local and private. - The script defaults to writing logs/state/files under /opt and setup.sh may run sudo/pip installs or write to /usr/local/bin. Run the tool in a controlled environment (container or dedicated VM) or edit defaults to use a user-owned directory before running. - setup.sh downloads yt-dlp from GitHub only as a fallback (acceptable), but it uses pip3 --break-system-packages which affects system Python packages. Consider installing dependencies in a virtualenv instead. - There is no evidence of network exfiltration beyond legitimate API calls to Bilibili and Telegram; still review the send_tg and curl calls and, if you do not want Telegram notifications, do not set the TG env vars. Recommended actions: 1. Inspect and correct references/cookie-guide.md to mention bilibili.com and the correct cookie keys (SESSDATA, bili_jct) before following it. 2. Run the code in an isolated environment (Docker) or change defaults to a user-writable directory (avoid /opt) and verify file permissions. 3. Review setup.sh and prefer using a virtualenv for yt-dlp instead of global pip --break-system-packages, or install yt-dlp/ffmpeg manually. 4. Do not share your cookie file. If you decide to run the tool, rotate credentials if you suspect any leakage. Given the mismatches (wrong cookie domain, undeclared env vars, system paths), treat this skill as suspicious and fix/document those issues before trusting it with sensitive cookies or running it on a production host.