Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill name/description (B站视频分析) align with the included code: the script calls Bilibili's public API and returns title, owner, desc, view, like — all expected for this purpose. No unrelated binaries or credentials are requested. Minor note: SKILL.md explicitly forbids using web_fetch/browser while the bundled script itself uses fetch() to call the Bilibili API; this is ambiguous but not necessarily malicious.
Instruction Scope
SKILL.md instructs the agent to call scripts/fetch.js, but the repository contains scripts/fecth.js (typo). This filename mismatch means the runtime instruction will fail unless corrected. Otherwise, the instructions restrict operations appropriately (call internal script, no other system files accessed, network call only to Bilibili API).
Install Mechanism
No install spec and only a small JS script are included; nothing is downloaded or installed at runtime. This is low-risk from an install-perspective.
Credentials
The skill declares no environment variables or credentials and the script does not access any secrets or config paths. The only external interaction is a GET to api.bilibili.com, which is proportional to the stated purpose.
Persistence & Privilege
The skill does not request persistent/always-on presence and uses normal agent invocation rules. It does not attempt to modify other skills or system-wide settings.
What to consider before installing
This skill generally does what it claims — it extracts a BV id and queries the public Bilibili API for metadata. Before installing, check and correct the obvious inconsistencies: (1) SKILL.md calls scripts/fetch.js but the included file is scripts/fecth.js (likely a typo). Fixing the filename or the instruction is required for the skill to run. (2) Clarify the SKILL.md statement that forbids web_fetch/browser: the bundled script uses fetch() to contact api.bilibili.com; make sure the runtime environment supports that call and that the intent is to let the script perform the network request rather than the agent using a separate web_fetch tool. Also consider basic robustness and privacy: the script only returns non-sensitive metadata, but it lacks handling for input URLs without explicit BV patterns and provides minimal error details. If you plan to use this in production, test edge cases (URLs, av numbers, private/unavailable videos), add stronger input validation and clearer error messages, and confirm rate-limiting/usage policy with the Bilibili API.Like a lobster shell, security has layers — review code before you run it.
latestvk977zynv7bsk0zsya7yf6v120x84q9gy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.