Skillv1.0.0

ClawScan security

📺 Bilibili Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 13, 2026, 1:14 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill generally matches its Bilibili CLI purpose, but the package declares no required credentials while its instructions and wrapper clearly require sensitive Bilibili cookies and ask the user/agent to modify agent config — these mismatches and a few unsafe recommendations warrant caution.
Guidance: This skill appears to be a legitimate Bilibili CLI wrapper, but it has important mismatches and risky recommendations you should review before installing. Key points: (1) It requires sensitive Bilibili cookies (SESSDATA, bili_jct, buvid3) even though the registry metadata doesn't declare them — do not store these in plaintext under the shared workspace unless you accept the risk. (2) The README instructs adding an MCP server entry to your ~/.openclaw/openclaw.json that points to an external script in the workspace — that lets the agent run that code and increases risk; only add this if you trust the source and have inspected the referenced code. (3) Avoid running ambiguous installer commands (the docs mention pip with --break-system-packages and example use of curl | sh in a posted message); install dependencies from trusted sources and avoid --break-system-packages. (4) Review the bilibili-cli implementation you will invoke (the skill expects /root/.openclaw/workspace/external/bilibili-api/bilibili-cli.py) — ensure it's the authentic project and inspect it for unexpected network endpoints or telemetry. (5) If you proceed, keep cookies in a secure secrets store or environment scoped to the process, not an unencrypted workspace file, and consider manual, minimal configuration rather than auto-adding MCP servers. If you want higher confidence, ask the maintainer for a provenance link to the exact bilibili-cli they expect and for the skill manifest to be updated to declare the required env vars.

Review Dimensions

Purpose & Capability: concernThe skill's functionality (posting, deleting, searching on Bilibili) coherently requires Bilibili authentication and a CLI client; however the registry metadata lists no required environment variables or credentials while the SKILL.md and wrapper script clearly depend on SESSDATA / bili_jct / buvid3 (via env vars or a cookies file). This discrepancy between stated requirements and actual needs is incoherent and could mislead users about what secrets will be used.
Instruction Scope: concernRuntime instructions and examples tell the agent/user to store and read cookies from a workspace file (/root/.openclaw/workspace/bilibili-cookies.md) or environment variables, to add an MCP server entry to ~/.openclaw/openclaw.json (modifying agent configuration), and include an example using subprocess.run(..., shell=True) for batch publishing. These steps cause the agent (or a user) to read and persist sensitive credentials and to wire an external MCP server into the agent — actions beyond simple CLI invocation and worth vetting.
Install Mechanism: noteThe skill is instruction-only (no automated install), which is low-risk, but the README/SKILL.md recommend pip installing multiple packages (including bilibili-api-python and others) and use of --break-system-packages. The recommended installs are from PyPI (expected) but the --break-system-packages flag is unusual and risky. No downloads from arbitrary URLs are programmed by the skill itself.
Credentials: concernAlthough registry metadata lists no required env vars, the wrapper script and documentation require BILIBILI_SESSDATA, BILIBILI_BILI_JCT, and BILIBILI_BUVID3 (or a cookies file). Asking for three account cookies/keys is proportionate to the stated capability, but the fact they are not declared in the skill manifest and the recommended storage is an unencrypted workspace file increases risk of accidental credential exposure.
Persistence & Privilege: concernThe SKILL.md instructs adding a new MCP server entry to ~/.openclaw/openclaw.json pointing at an external script inside the workspace. That change would cause the agent to load/run external code via stdio transport. While the skill is not marked always:true, advising or automating modification of agent configuration to add an external MCP server expands the attack surface and should be treated with care.