ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Bilibili Subtitles

v1.0.0

使用 yt-dlp 从哔哩哔哩公开视频提取已有字幕或自动字幕(不下载整段视频)。当用户提到 B 站、bilibili、BV 号、视频字幕、拉字幕、做摘要、根据视频内容回答问题时使用。v1 仅支持平台已提供字幕轨道的视频;无字幕视频需换源或后续用 Whisper 等方案。

0· 152·0 current·0 all-time
byfanzhuo@scottliu007
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description say 'extract Bilibili subtitles with yt-dlp' and all files/instructions align with that. No unrelated services, credentials, or binaries are requested.
Instruction Scope
Runtime instructions and the script only run yt-dlp, list/download subtitle tracks, and post-process VTT to plain text. They do suggest using browser cookies or an exported cookies.txt to bypass B 站 rate-limits — this is expected for the use case but means the agent/command will access local browser cookies if used. The SKILL.md explicitly warns not to paste cookies into replies.
Install Mechanism
Instruction-only skill with no install spec. The only dependency is yt-dlp (user-installed). No downloads from suspicious URLs or archive extraction are present.
Credentials
No environment variables or primary credentials are requested. Optional use of browser cookies or cookies.txt is proportional to the stated need to access rate-limited or logged-in Bilibili pages.
Persistence & Privilege
always is false and the skill does not request persistent system privileges or modify other skills. Model invocation is enabled (normal for skills) but this is not combined with broad credential access.
Assessment
This skill is coherent and low-risk: it simply documents yt-dlp usage and includes a small helper script. Before installing or running it: ensure yt-dlp is installed from its official source, avoid pasting cookies or secrets into chat, prefer using an exported cookies.txt (or run commands locally) rather than giving long-lived browser session tokens to third parties, and run the script in an environment where accessing your browser cookie store is acceptable. If you need autonomous agents to run it, be aware they could execute yt-dlp commands and potentially access any cookie file you give them — limit the cookie file's scope and lifetime.

Like a lobster shell, security has layers — review code before you run it.

bilibilivk971yrqgdbrba52ew2khgsxkcs838vdnlatestvk971yrqgdbrba52ew2khgsxkcs838vdnopenclawvk971yrqgdbrba52ew2khgsxkcs838vdnsubtitlesvk971yrqgdbrba52ew2khgsxkcs838vdnyt-dlpvk971yrqgdbrba52ew2khgsxkcs838vdnzhvk971yrqgdbrba52ew2khgsxkcs838vdn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments