Bilibili Up To Kb
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: bilibili-up-to-kb Version: 0.1.0 The skill bundle is classified as suspicious due to several risky capabilities. It accesses browser cookies via `yt-dlp --cookies-from-browser chrome` in `scripts/batch_channel.sh` and `scripts/transcribe.sh`, which is a sensitive operation, even if for a stated purpose (accessing member-only content). Additionally, `scripts/clean_transcript.sh` sends user-generated transcript data to an external `opencode` service for LLM-based cleaning, involving network communication with potentially sensitive content. While these actions align with the skill's stated purpose, they represent significant data privacy and security risks if the skill were to be compromised or misused, lacking clear malicious intent but demonstrating risky capabilities.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may access Bilibili as the user's logged-in browser session and download or transcribe member-only/account-scoped content.
If direct access fails, the script automatically switches to using the local Chrome browser cookie store. Browser session cookies are sensitive account credentials, and this fallback is not gated by an explicit user approval step in the script.
if ! yt-dlp --flat-playlist --print url "$CHANNEL" >/dev/null 2>&1; then echo "Direct access failed, trying with browser cookies..." COOKIES_ARG="--cookies-from-browser chrome" fi
Require explicit user confirmation before using browser cookies, document exactly which browser/profile and site cookies are used, and prefer a separate least-privilege browser profile or user-provided cookie file.
A crafted or unusual video title could break metadata generation and may create a local code-injection path when processing untrusted videos.
A remote Bilibili title is used to build FILE_BASE and then interpolated directly into Python source code. The filename sanitizer removes some filename-dangerous characters but does not safely JSON/Python-escape quotes or newlines before execution.
TITLE=$(echo "$META_JSON" | python3 -c "import sys,json; print(json.load(sys.stdin).get('title',''))" ...)
SAFE_TITLE=$(sanitize "$TITLE")
...
'filename_base': '$FILE_BASE'Do not embed untrusted metadata inside a Python -c string. Pass FILE_BASE through argv, stdin, or an environment variable and serialize it with json.dumps or equivalent safe escaping.
Video transcripts, including member-only or sensitive content the user chose to process, may be shared with the configured model provider.
Transcript chunks are sent to an external opencode/Minimax model for cleaning. This is purpose-aligned and partially disclosed, but it means transcript content leaves the local machine.
MODEL="${CLEAN_MODEL:-opencode/minimax-m2.5-free}"
...
"$OPENCODE" run -m "$MODEL" --format json "${PROMPT}
${CHUNK_TEXT}"Clearly disclose the provider data flow, credential requirements, retention/privacy expectations, and provide an easy local-only or no-cleaning mode.
Users may install or run external tools/models without pinned versions or registry-enforced dependency checks.
The skill depends on several third-party tools and downloaded models, while the registry metadata declares no required binaries or install spec. This is expected for the purpose but leaves users to manage provenance and versions themselves.
**Required**: yt-dlp, ffmpeg, whisper.cpp (+ model), opencode CLI
Declare required binaries and environment variables in metadata, document trusted install sources, and pin or verify model/tool versions where practical.
Downloads, transcription, or remote cleaning calls may continue in the background, consuming resources or sending transcript chunks after the user stops interacting with the agent.
The documentation encourages user-directed background jobs for long-running work. This is disclosed and aligned with large channel processing, but it can keep running after the interactive session ends.
Use nohup to avoid session compaction killing processes: ```bash nohup bash scripts/batch_clean.sh ./kb/UP主名_UID/ 0 80 > /tmp/clean.log 2>&1 & ```
Before using nohup/background mode, choose conservative concurrency, monitor logs and processes, and document how to stop or resume jobs safely.