Yq Bilibili Skill
WarnAudited by ClawScan on May 17, 2026.
Overview
The skill is a coherent Bilibili CLI wrapper, but it can automatically use local browser/login credentials and perform account-changing actions, so it should be reviewed before use.
Install only if you trust the underlying bilibili-cli tool. Before using authenticated features, understand that it may read saved Bilibili credentials or browser cookies and can access private account areas such as history, favorites, feed, and following lists. Require explicit confirmation before any like, coin, triple, unfollow, or other write operation.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The CLI may access the user's Bilibili account using existing browser sessions or saved credentials, including private account data and authenticated actions.
The skill explicitly documents use of persistent local credentials and automatic browser-cookie extraction. That is high-impact account/session access and is not declared in the registry credential requirements.
bilibili-cli采用3层认证策略: 1. 已保存凭证 - 从 `~/.bilibili-cli/credential.json` 加载 2. 浏览器Cookies - 自动从Chrome/Firefox/Edge/Brave提取
Use only if you trust the underlying bilibili-cli package, prefer an explicit QR login or dedicated account, and verify/limit any browser-cookie or saved-credential access before running authenticated commands.
An agent using this skill could change the user's Bilibili account state, spend coins, add favorites, or unfollow accounts if invoked incorrectly.
The skill exposes account-mutating commands, including coin/triple actions and unfollowing, but the instructions do not require an explicit user confirmation immediately before these changes.
`bili like <BV号>` ... `bili coin <BV号>` ... `bili triple <BV号>` ... `bili unfollow <UID>`
Require clear user confirmation before any write action, especially coin, triple, unfollow, or public-posting operations, and show the exact target BV/UID before executing.
The actual behavior depends on the externally installed bilibili-cli package and its dependencies, which were not statically reviewed here.
The skill relies on installing an external CLI package, but this artifact set includes no source code or pinned package version for that dependency.
`uv tool install bilibili-cli` ... `pipx install bilibili-cli` ... `uv tool install "bilibili-cli[audio]"`
Install from a trusted source, pin or verify the package version where possible, and review the package permissions before using authenticated or audio-download features.