Skillv1.0.0

ClawScan security

bilibili-video-analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 3, 2026, 9:59 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and instructions are consistent with its stated purpose (download/transcribe/analyze Bilibili videos and produce notes); there are minor documentation/automation mismatches and an external PyPI dependency you should review before installing.
Guidance: This skill appears coherent for producing study notes from Bilibili videos, but check these before installing/using: 1) Verify the PyPI package 'railgun-bili-tools' (author, code repository, recent versions) — installing unknown packages is a common supply-chain risk. 2) The workflow requires ffmpeg and bilibili downloader login; bili-dl login may store your Bilibili cookies/credentials locally — only proceed if you trust the downloader tool. 3) The SKILL.md names 'Claude' for analysis but the included llm_analyzer is interactive (expects you to paste LLM JSON output); if you want automatic LLM calls you will need to provide API keys and possibly modify code. 4) Review the full analyze_video.py and any code you will run for unexpected network calls or obfuscated behavior before running on sensitive machines. 5) For safety, run initial tests in an isolated environment (container/VM) and inspect generated outputs (reports/screenshots) and any network activity. If you want, I can: (a) fetch and summarize analyze_video.py for additional checks, (b) list what to search for in the PyPI package, or (c) suggest a minimal sandboxed test plan.

Review Dimensions

Purpose & Capability: okName/description match the code and instructions: subtitle parsing, ffmpeg screenshots, LLM-driven analysis, and Markdown report generation. The required tools called in SKILL.md (bili-dl/railgun-bili-tools, ffmpeg, Whisper) are consistent with downloading/transcribing Bilibili videos and generating reports.
Instruction Scope: noteSKILL.md instructs the agent/user to run bili-dl login/download/transcribe, call ffmpeg for screenshots, and to have an LLM perform analysis. The code implements subtitle parsing, screenshot capture, an LLM prompt builder, and report generation. Minor scope notes: SKILL.md explicitly names 'Claude' as the analyzer, but the included llm_analyzer performs an interactive flow (user pastes LLM JSON output) rather than making an automatic API call — so full automation may require additional API integration and credentials. The workflow asks the user to run bili-dl login which may store local credentials/cookies — expected for a downloader but worth noting.
Install Mechanism: noteRegistry has no automated install spec, but SKILL.md tells users to 'pip install railgun-bili-tools' and to install FFmpeg. Installing a third-party PyPI package is common for this purpose, but 'railgun-bili-tools' is not a widely-known standard package name here — verify package provenance/source on PyPI/GitHub before installing. No downloads from arbitrary URLs appear in the skill code; code uses local subprocess calls to ffmpeg/ffprobe.
Credentials: noteThe skill declares no required env vars or credentials, which aligns with the included code (it uses local files, ffmpeg, and user-driven LLM interaction). However SKILL.md and README reference using 'Claude' and Whisper for transcription/analysis: if you want automated calls to a hosted LLM you will need to supply appropriate API keys (not declared here). Also 'bili-dl login' may require Bilibili account auth stored locally — expected but worth being aware of.
Persistence & Privilege: okThe skill does not request persistent 'always' privileges and does not modify other skills or global agent configs. It writes generated reports and screenshots to output directories (normal for this functionality).