Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Bilibili Up Master
v1.0.0提供B站UP主热门监控、粉丝与视频数据分析、竞品研究及内容策划建议,助力运营成长与报告生成。
⭐ 0· 67·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (B站热门监控、UP主/视频分析、内容策划) match the included code and SKILL.md. The code provides report generation, data scaffolding, and helper functions that align with the stated purpose. No unrelated credentials, binaries, or install steps are requested.
Instruction Scope
SKILL.md instructs the agent to use the platform browser or agent-reach to fetch B站 pages (expected for scraping). The instructions and code do not attempt to read arbitrary local files or unexpected env vars. Important caveats: (1) the code disables SSL certificate validation (ssl._create_default_https_context = ssl._create_unverified_context), which weakens TLS and can allow MITM when the agent fetches pages; (2) the skill expects to use a browser profile (profile="openclaw") or agent-reach, which can expose any logged-in session cookies or private pages to the skill if those sessions are available to the agent.
Install Mechanism
No install spec — instruction-only plus Python source files. Nothing is downloaded from arbitrary URLs and no installer writes into unusual system locations. This is low-risk from an install mechanism point of view.
Credentials
The skill declares no required environment variables or credentials (proportionate). However, runtime behavior depends on the agent's browser/agent-reach tooling and profile: if those tools expose browser cookies or logged-in sessions, the skill can access pages or data that require login (the SKILL.md even mentions some UP data requiring login). The skill stores outputs and reports under /tmp/bilibili-data, which is expected but accessible to other local users/processes on multi-user systems.
Persistence & Privilege
always is false and the skill does not request system-wide persistence or modify other skills' configs. It writes only to its own /tmp/bilibili-data directory (normal for a reporting tool).
Assessment
This skill appears to do what it says and requests no unusual secrets or installers. Before installing or running it, consider: 1) The code disables SSL certificate validation — this is insecure; ask the author to remove that behavior or run the skill in a network you trust. 2) The skill uses the agent's browser or agent-reach tool; if those tools have access to your logged-in Bilibili session (cookies), the skill can view account-only pages. Only run it with a browser profile/session you are comfortable exposing, or use a clean/sandboxed profile. 3) Output is saved under /tmp/bilibili-data — review files before sharing and be aware /tmp may be readable by other local users on multi-user systems. 4) If you need stronger guarantees, request the author remove the SSL bypass, provide explicit network I/O controls, and confirm there are no hidden remote endpoints. Overall: coherent and reasonably low risk if run in a sandboxed or trusted environment.Like a lobster shell, security has layers — review code before you run it.
latestvk97fh56bm8d38r9zwfnxy720598414n0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.