Back to skill
Skillv1.0.0
ClawScan security
bilibili-danmaku-extractor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 7, 2026, 4:25 AM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and network requests are consistent with a simple Bilibili danmaku extractor; it doesn't request secrets or odd permissions, though the source is unsigned/unknown so exercise normal caution.
- Guidance
- The skill appears to be a straightforward Bilibili danmaku extractor and is internally consistent. Before installing/run: (1) Review the code yourself or run it in a disposable environment (container or VM) because the package author and homepage are unknown; (2) run inside a Python virtualenv and inspect network activity if you have concerns; (3) be mindful of Bilibili rate limits and terms of service when extracting many videos; (4) the script writes files to the output directory — avoid running as a privileged user and choose a safe output path; (5) verify the pip package 'requests' is installed from the official index (pip install in a controlled env). These steps reduce risk even though the code itself matches its stated purpose.
Review Dimensions
- Purpose & Capability
- okName/description (extract Bilibili danmaku) aligns with what the files do: main.py fetches video info and danmaku from Bilibili API endpoints and exports JSON/Markdown. No unrelated services, binaries, or credentials are requested.
- Instruction Scope
- okSKILL.md instructs the agent to call Bilibili APIs and run the included main.py; the script only reads the provided URL/BV, performs HTTP requests to Bilibili, parses XML (with optional zlib decompression), and writes local output files. It does not read arbitrary system files, access other environment variables, or send data to unexpected external endpoints.
- Install Mechanism
- okNo install spec; requirements.txt lists only requests (requests>=2.28.0). This is low-risk and proportionate for a Python script that performs HTTP calls.
- Credentials
- okThe skill requires no environment variables, no credentials, and no config paths. Network access to Bilibili is necessary and appropriate for the stated purpose.
- Persistence & Privilege
- okalways is false and the skill does not request permanent/system-wide changes. It is user-invocable only and does not modify other skills or agent-wide settings.