Install untrusted source
Warn
- Finding
- Install source points to URL shortener or raw IP.
bilibili-search
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears purpose-aligned for Bilibili search, but users should review and trust the separate local FastAPI/Playwright service before running it.
This looks safe to install as an instruction/OpenAPI wrapper if you already trust the local Bilibili search service it calls. Before use, review the separate `skill_api.py` implementation, confirm it only listens on 127.0.0.1, and avoid sending sensitive search terms if the local service or network environment is untrusted.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
The local service, not the skill package itself, determines what code runs on the user's machine when searches are performed.
Why it was flagged
The skill depends on a separate local Python API service and browser automation stack that are not included in the reviewed package. This is disclosed and purpose-aligned, but the actual service behavior cannot be verified from these artifacts.
Skill content
本地的 FastAPI 服务 (`skill_api.py`) 已经成功启动... 本地环境已正确安装 `playwright` 并下载了对应的 Chromium 浏览器内核。
Recommendation
Only run a trusted and reviewed `skill_api.py`, keep Playwright/Chromium updated, and bind the service to localhost as documented.
What this means
Using the skill may cause a local browser automation service to browse Bilibili pages and process webpage content in the background.
Why it was flagged
The skill discloses that searches are performed through headless browser automation running in the background. This is expected for web scraping, but users should understand that a local browser automation process is involved.
Skill content
底层采用 Headless 无头浏览器模式,完全在后台执行
Recommendation
Start and stop the local API deliberately, avoid running unknown automation code, and use a dedicated browser/profile if the local service supports it.