ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Bilibili Video

v1.0.0

B站(Bilibili)视频字幕提取与音频转写工具。基于 bilibili-api-python,自带 WBI 签名反爬。 三级降级策略:CC字幕 → AI字幕(9种语言) → 音频下载+ASR转写。 当以下情况时使用: (1) 用户提供 B 站视频链接或 BV/AV/EP/SS 号,要求获取字幕或文字内容 (2...

0· 125·1 current·1 all-time
byMadoka@guoqunabc
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code and SKILL.md: the scripts call bilibili-api-python, download subtitles/audio, support login via QR/cookies, and save transcripts. Requiring cookies and ffmpeg is reasonable for the described functionality.
!
Instruction Scope
The runtime instructions and code perform exactly the advertised actions (fetch CC/AI subtitles, or download audio and call an ASR pipeline). However the ASR step delegates to an external script (~/.openclaw/workspace/scripts/speech-to-text.sh) that is not included. That external script is passed raw audio and (per SKILL.md) may call multiple STT/LLM providers (Feishu STT, Gemini, MiMo, Qwen). Because that script and its network behavior are not part of the skill bundle, the agent will end up transmitting user audio to whatever that script does — a scope creep / data-exfiltration risk unless the user inspects the script first.
Install Mechanism
This is instruction-only with bundled Python scripts (no install spec) — low install risk. But SKILL.md asserts dependencies are “已安装,每日自动更新” (bilibili-api-python auto-updates) even though there is no install mechanism in the bundle; that is an environmental assumption/mismatch that should be clarified.
!
Credentials
The skill does not request environment variables or credentials, which is appropriate. It does read and write a local cookie file (~/.openclaw/workspace/.bilibili_cookies.json) containing sensitive Bilibili cookies (SESSDATA, bili_jct, etc.) — this is expected for logged-in API access but is sensitive and should be understood. The bigger issue: ASR may require or use third-party API keys (not requested by the skill) and could leak audio/content to external services; those credentials/configurations would live outside the skill and are not declared, creating a hidden dependency and potential for unintended disclosure.
Persistence & Privilege
always is false and the skill does not request elevated system privileges. It writes its own cookie file and output under ~/.openclaw and /tmp/openclaw, which is normal for this function. It does not modify other skills or system-wide agent settings.
What to consider before installing
This skill appears to do what it says (download subtitles/audio and (optionally) transcribe audio), but take these precautions before installing or running it: (1) Inspect the external ASR script at ~/.openclaw/workspace/scripts/speech-to-text.sh before use — it receives raw audio and may send it to third-party STT/LLM services (which could expose sensitive audio). (2) Be aware the skill stores Bilibili cookies in ~/.openclaw/workspace/.bilibili_cookies.json; only save cookies for accounts you trust and understand the privacy implications. (3) Confirm required dependencies (bilibili-api-python, aiohttp, ffmpeg, opencc) exist in your environment — the skill claims auto-updates but includes no installer. (4) If you need to prevent any external network calls for transcription, disable ASR (use --no-asr) or supply a vetted local speech-to-text implementation. (5) If you want higher assurance, run the skill in an isolated environment/container and review or provide the ASR tooling yourself. If the ASR script or any referenced third-party provider is not audited/known, treat audio output as potentially exfiltrated.

Like a lobster shell, security has layers — review code before you run it.

latestvk979fpccbbx3ac3w19bxh2dkjd83kaka
125downloads
0stars
1versions
Updated 3w ago
v1.0.0
MIT-0
Madoka@guoqunabc
latest
Download

B站视频字幕与音频提取

快速使用

# 提取字幕(三级降级自动选择最佳来源)
python3 skills/bilibili-video/scripts/bilibili_extract.py BV1GqZUBvENu

# 完整 URL 也行
python3 skills/bilibili-video/scripts/bilibili_extract.py "https://www.bilibili.com/video/BV1GqZUBvENu/"

# 仅查看视频信息
python3 skills/bilibili-video/scripts/bilibili_extract.py --info BV1GqZUBvENu

# 仅下载音频(不转写)
python3 skills/bilibili-video/scripts/bilibili_extract.py --audio-only BV1GqZUBvENu

# 禁用 ASR 兜底(字幕不可用时仅下载音频)
python3 skills/bilibili-video/scripts/bilibili_extract.py --no-asr BV1GqZUBvENu

三级降级策略

  1. CC 字幕:UP 主上传的字幕,准确度最高,优先中文
  2. AI 字幕:B 站 AI 生成字幕,支持 ai-zh/ai-en 等 9 种语言
  3. 音频转写:下载音频,调用 speech-to-text.sh(飞书STT → Gemini → MiMo → Qwen 四级降级)

大部分视频前两级即可覆盖。第三级需要更多时间但可处理任何有声视频。

输出

  • 目录:/tmp/openclaw/bilibili/
  • 文件:{BV_ID}_transcript.txt
  • 格式:视频元信息 + 正文(自动繁转简)

登录(提升成功率)

无 cookie 可用但功能受限。遇到 412 风控时需要登录:

# 终端扫码登录
python3 skills/bilibili-video/scripts/bilibili_login.py

# 检查 cookie 是否有效
python3 skills/bilibili-video/scripts/bilibili_login.py --check

也可以从浏览器手动提取 cookie(SESSDATA、bili_jct、buvid3、DedeUserID),保存为 JSON 到 ~/.openclaw/workspace/.bilibili_cookies.json

依赖

  • bilibili-api-python(已安装,每日自动更新)
  • aiohttp(已安装)
  • ffmpeg(已安装,音频转写时使用)
  • opencc-python-reimplemented(可选,繁转简)

踩坑记录

详见 references/api-notes.md:WBI 签名、Cookie 管理、常见错误码、AI 字幕语言代码。

Comments

Loading comments...