Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
bilibili-research-kit
v1.0.0Extract and analyze Bilibili video content using yt-dlp. Supports video metadata, danmaku (bullet comments), subtitle extraction, UP主 profile analysis, and s...
⭐ 0· 56·0 current·0 all-time
by江辰@xuya227939
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md clearly describes a yt-dlp–based Bilibili extraction toolkit and requires yt-dlp >= 2024.01.01, but the registry metadata lists no required binaries or credentials. The declared manifest omits the one core runtime dependency (yt-dlp), which is an incoherence the user should notice before installing or invoking the skill.
Instruction Scope
Runtime instructions are focused on extracting metadata, subtitles, and danmaku via yt-dlp and curl (comment.bilibili.com). However the instructions recommend using `--cookies-from-browser` to access logged-in content — this interacts with local browser cookie stores and can expose session cookies. The SKILL.md also points users to a third-party site (snapvee.com) for downloads. These are within the skill's functional scope but carry privacy and trust implications that are not surfaced in the metadata.
Install Mechanism
There is no install spec (instruction-only), which minimizes supply-chain risk. However, the instructions require installing yt-dlp (brew/pip) — a dependency not declared in the skill's 'required binaries' metadata. That mismatch could confuse automated install tooling or less-technical users.
Credentials
The skill declares no required environment variables or credentials (good), but the instructions ask users to export browser cookies for member-only content. Accessing browser cookies is effectively credential access and can expose unrelated site credentials; this capability is not declared or explained in the metadata and may be disproportionate for users unaware of the risk.
Persistence & Privilege
The skill is not marked 'always' and is user-invocable with normal autonomous invocation allowed. It does not request persistent presence or system-wide configuration changes in the manifest.
What to consider before installing
This skill appears to do what it says (use yt-dlp + curl to extract Bilibili metadata, subtitles and danmaku), but before using it: 1) Note the manifest did not declare yt-dlp as a required binary — install yt-dlp from an official source yourself (Homebrew or PyPI). 2) Be cautious with the suggested `--cookies-from-browser` command: exporting browser cookies can expose your logged-in sessions; only do this on a machine/account you trust and avoid sharing the exported cookie files. 3) The skill links to a third-party download site (snapvee.com) — do not assume endorsements; vet that site separately. 4) Because the skill is instruction-only (no code bundled), there is no hidden code to audit, but also no provenance metadata — check the claimed homepage/support (the manifest points to a GitHub issues URL and snapvee.com) and prefer skills with clear source repos. If you need lower risk, run the shown yt-dlp and curl commands yourself locally rather than allowing an agent to run them autonomously.Like a lobster shell, security has layers — review code before you run it.
latestvk9724myb701j4rmkh9n110jdqs83h4zg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.