!
Purpose & Capability
Name and description match the code: it targets B站 and 抖音 and uses yt-dlp/Playwright/ffmpeg to fetch highest-quality, no-watermark streams. However the code also downgrades setuptools, supports installing large ML stacks (PyTorch paths present), and creates a virtualenv outside the skill directory (VENV_DIR set to a parent-level path). Those environment/control actions are not necessary for a simple download helper and are disproportionate to the stated purpose.
!
Instruction Scope
SKILL.md instructs running the provided script and mentions yt-dlp/ffmpeg/Playwright, which is expected. The actual code goes further: at import it auto-installs Python packages, runs 'playwright install chromium', forces setuptools changes, may auto-download ffmpeg, and restarts into a new venv. These side effects are not documented in SKILL.md and expand scope to system modification and network downloads.
!
Install Mechanism
There is no formal install spec, but the code performs runtime installation: ensure_package.pip calls pip, attempts to downgrade setuptools, ensure_package supports git+/zip installs and fallback behavior, scripts invoke 'playwright install chromium' and ffmpeg-downloader, and video_snapper will download binaries. Runtime downloads from remote sources and extraction/install behavior are present and executed at module import — a high-risk install pattern.
!
Credentials
The skill requests no credentials, but it writes persistent artifacts: creates a virtualenv at VENV_DIR which resolves outside the skill root (parent of repo root), writes logs and downloads, modifies the Python environment (pip installs, setuptools downgrade), and may install large optional packages (PyTorch-related logic). These are excessive for a chat-level video resolver and can affect the host environment.
!
Persistence & Privilege
always:false, but the skill persists by creating venvs, downloading browsers and ffmpeg, and installing packages into the current Python environment. It runs subprocesses and can restart the process in a newly created venv. This gives it a durable footprint and system-level side effects beyond the life of a single invocation.
Scan Findings in Context
[unicode-control-chars] unexpected: The SKILL.md contained unicode-control-chars prompt-injection signals. That pattern is unrelated to video downloading and may indicate attempts to influence text processing or trick automated reviewers; treat as a cautionary signal.
What to consider before installing
This skill appears to implement video downloading for Bilibili and Douyin as stated, but it makes significant environment changes at runtime: it will auto-run pip installs (and may modify setuptools), download Playwright chromium and ffmpeg, create a virtualenv in a directory outside the skill folder, and restart in that venv. Those actions can modify your Python environment, write files to disk, and perform network downloads. Before installing or running it consider:
- Do not run in a production or sensitive host. Prefer an isolated sandbox/container or disposable VM.
- Review the code (ensure_package, env_manager, and top-level imports) line-by-line; note that many installs happen at module import time.
- If you must use it on a persistent host, change VENV_DIR to a skill-local path, remove or disable automatic setuptools downgrades, and avoid top-level pip/playwright installs (move them to an explicit, user-approved setup step).
- Expect downloads (chromium, ffmpeg, pip packages) and filesystem writes (logs, downloads, venv).
- The unicode-control-chars finding in SKILL.md is a prompt-injection warning — be cautious with automatic enabling or trusting external documentation.
If you want help producing a safer checklist or a sanitized version of this skill that only runs in a local ephemeral environment, I can suggest concrete code edits (e.g., remove top-level installs, use a local venv path, require explicit user consent before downloads).
