Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Bilibili Video Summarizer
v1.0.0B站(bilibili)视频字幕下载与总结工具。当用户说"帮我总结这个B站视频"、"B站视频总结"、"总结b站视频"、"这个视频说了什么"、"视频内容是什么"时触发此技能。自动从B站下载字幕(支持官方字幕和AI字幕),解析为纯文本后对视频内容进行总结,支持中英文双语字幕。
⭐ 0· 63·1 current·1 all-time
by@yeezi02
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill's name/description (download B站 subtitles and summarize) matches the supplied scripts and instructions. Required artifacts (a Bilibili session cookie in a Netscape cookie file and the yt-dlp tool) are logically needed to fetch authenticated subtitles. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
Runtime instructions ask the user to extract and save the SESSDATA cookie and then run the included scripts to download and parse subtitles. This is within scope, but it involves handling a sensitive session cookie: the skill instructs the agent to store it at ~/.config/bilibili-cookies.txt. The SKILL.md and references claim the agent can "save it automatically," but there is no provided code that writes the cookie file — that will rely on the agent or the user to perform. The scripts themselves only read the local cookie file and do not reference other system files.
Install Mechanism
There is no installer; this is instruction + two small scripts. The only external dependency mentioned is yt-dlp (recommended via pip). No archive downloads, no URLs to arbitrary executables, and no extract/execute operations from unknown hosts are present.
Credentials
The skill requests no environment variables or cloud credentials. It does require the user's SESSDATA cookie stored in ~/.config/bilibili-cookies.txt — this is sensitive but proportionate to the stated goal (authenticated subtitle downloads). The guidance claims the cookie is 'never sent elsewhere'; the code provided does not send it, but you should assume the agent (or whatever host runs this skill) could access or transmit that file unless you trust the environment.
Persistence & Privilege
always:false and no special privileges are requested. The skill writes subtitle output to /tmp by default and reads a cookie from the user's home config; it does not modify other skills' configs or request permanent platform-wide presence.
Assessment
This skill appears to do what it says, but it requires a Bilibili SESSDATA cookie (a session secret) to download authenticated subtitles. Before installing or using it: 1) Only paste or store SESSDATA on a trusted machine; the cookie grants authenticated access and should be treated like a password. 2) If possible, save the cookie manually (as described) rather than relying on an agent to "save it automatically." 3) Revoke or rotate your Bilibili session (log out / change session) after use if you are concerned. 4) Install yt-dlp from its official source (pip or package manager) to avoid tampered binaries. 5) Be aware the parsed subtitle text is printed to stdout (and therefore will be visible to the agent/LLM you use) — do not summarize videos containing sensitive personal data unless you trust the processing environment.Like a lobster shell, security has layers — review code before you run it.
bilibilivk975eymvmh6exztemmdyegsk7h83mrpwlatestvk975eymvmh6exztemmdyegsk7h83mrpwsubtitlevk975eymvmh6exztemmdyegsk7h83mrpwsummarizervk975eymvmh6exztemmdyegsk7h83mrpwvideovk975eymvmh6exztemmdyegsk7h83mrpw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.