中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 5/100
上次扫描:2 天前 重新扫描
5 /100
bilibili-all-in-one
Comprehensive Bilibili toolkit integrating hot trending monitoring, video downloading, subtitle downloading, playback/danmaku, and video publishing capabilities
A legitimate Bilibili API toolkit with well-documented credential handling and network endpoints; the pre-scan hardcoded-IP flag is a false positive — all URLs use HTTPS domain names. No malicious patterns detected.
技能名称bilibili-all-in-one
分析耗时57.2s
引擎pi
可以安装
Safe to use. Ensure users provide credentials via environment variables rather than files, and use a test account since SESSDATA/bili_jct are full session cookies.

安全发现 4 项

严重性 安全发现 位置
低危
Pre-scan hardcoded-IP flag is a false positive
The pre-scan IOC flagged '120.0.0.0' at src/utils.py:55 as a hardcoded IP address. Inspection of the actual file shows all API endpoints use HTTPS domain names (api.bilibili.com, member.bilibili.com, etc.). The pre-scan may have miscounted line numbers or scanned a different file version. No hardcoded IP addresses exist in the code.
API_SUBTITLE = f"{API_BASE}/x/player/v2"  # Uses domain-based API_BASE
→ No action needed. The hardcoded-IP flag is a false positive.
 src/utils.py:55
提示
Subprocess (ffmpeg) not declared in SKILL.md
downloader.py uses asyncio.create_subprocess_exec('ffmpeg') to merge video and audio streams. This shell execution is not declared in the SKILL.md capability declarations.
proc = await asyncio.create_subprocess_exec('ffmpeg', '-y', '-i', video_path, '-i', audio_path, '-c', 'copy', output_path, ...)
→ Add ffmpeg to the install requirements documentation. Consider declaring shell:WRITE capability in SKILL.md.
 src/downloader.py:373
提示
Browser opens local captcha page not declared as capability
publisher.py's delete_with_captcha starts a local HTTP server and opens the user's browser via webbrowser.open(). This browser interaction is documented in SKILL.md but not declared in the allowed-tools capability mapping.
webbrowser.open(f"http://127.0.0.1:{port}")
→ This is documented and intentional (Bilibili captcha verification), but the browser:WRITE capability should be added to SKILL.md for completeness.
 src/publisher.py:702
提示
Filesystem WRITE not fully declared in capability matrix
SKILL.md declares filesystem:READ but the skill writes downloaded videos, subtitle files, and optionally credentials to disk. These are all documented features, just not reflected in the declared capability level.
Multiple file write operations for downloads, subtitles, and credential files
→ Update SKILL.md to declare filesystem:WRITE since the skill legitimately writes files as part of its core functionality.
 src/downloader.py, src/subtitle.py, src/auth.py
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 SKILL.md declares HTTPS to Bilibili APIs only; code uses httpx/aiohttp to api.bi…
文件系统 READ WRITE ✓ 一致 SKILL.md lists 'Read' for filesystem but code writes downloaded videos (download…
环境变量 READ READ ✓ 一致 auth.py reads BILIBILI_SESSDATA, BILIBILI_BILI_JCT, BILIBILI_BUVID3 from os.envi…
命令执行 NONE WRITE ✓ 一致 downloader.py:373 calls asyncio.create_subprocess_exec('ffmpeg') for video/audio…
技能调用 NONE NONE No skill_invoke usage detected
剪贴板 NONE NONE No clipboard access detected
浏览器 NONE WRITE ✓ 一致 publisher.py:delete_with_captcha opens user browser via webbrowser.open() to htt…
数据库 NONE NONE No database access detected
1 高危 29 项发现
📡
高危 IP 地址 硬编码 IP 地址
120.0.0.0
src/utils.py:55
🔗
中危 外部 URL 外部 URL
https://img.shields.io/badge/python-%3E%3D3.8-blue?logo=python&logoColor=white
README.md:8
🔗
中危 外部 URL 外部 URL
https://img.shields.io/badge/license-MIT-green
README.md:9
🔗
中危 外部 URL 外部 URL
https://img.shields.io/badge/version-1.0.9-orange
README.md:10
🔗
中危 外部 URL 外部 URL
https://img.shields.io/badge/platform-Bilibili-pink
README.md:11
🔗
中危 外部 URL 外部 URL
https://www.bilibili.com
README.md:98
🔗
中危 外部 URL 外部 URL
https://www.bilibili.com/video/BVxxxxxx
README.md:211
🔗
中危 外部 URL 外部 URL
https://clawhub.ai/Jacobzwj/bilibili-hot-monitor
README.md:442
🔗
中危 外部 URL 外部 URL
https://clawhub.ai/caiyundc880518/bililidownloader
README.md:443
🔗
中危 外部 URL 外部 URL
https://clawhub.ai/donnycui/bilibili-youtube-watcher
README.md:444
🔗
中危 外部 URL 外部 URL
https://clawhub.ai/DavinciEvans/bilibili-subtitle-download-skill
README.md:445
🔗
中危 外部 URL 外部 URL
https://clawhub.ai/e421083458/bilibili-player
README.md:446
🔗
中危 外部 URL 外部 URL
https://clawhub.ai/Johnnyxu820/bilibili-video-publish
README.md:447
🔗
中危 外部 URL 外部 URL
https://www.bilibili.com/video/BV1xx411c7mD
skill.json:137
🔗
中危 外部 URL 外部 URL
https://www.bilibili.com/video/
src/downloader.py:102
🔗
中危 外部 URL 外部 URL
https://member.bilibili.com/preupload
src/publisher.py:19
🔗
中危 外部 URL 外部 URL
https://upos-sz-upcdnbda2.bilivideo.com
src/publisher.py:20
🔗
中危 外部 URL 外部 URL
https://member.bilibili.com
src/publisher.py:21
🔗
中危 外部 URL 外部 URL
https://passport.bilibili.com/x/passport-login/captcha
src/publisher.py:27
🔗
中危 外部 URL 外部 URL
https://static.geetest.com/static/js/gt.0.4.9.js
src/publisher.py:73
🔗
中危 外部 URL 外部 URL
https://member.bilibili.com/
src/publisher.py:640
🔗
中危 外部 URL 外部 URL
http://127.0.0.1:
src/publisher.py:702
🔗
中危 外部 URL 外部 URL
https://upos-sz-upcdnbda2.bilivideo.com/
src/publisher.py:821
🔗
中危 外部 URL 外部 URL
https://api.bilibili.com
src/utils.py:13
🔗
中危 外部 URL 外部 URL
https://b23.tv/BV1xx411c7mD
tests/test_comprehensive.py:143
🔗
中危 外部 URL 外部 URL
https://www.bilibili.com/video/av12345
tests/test_comprehensive.py:160
🔗
中危 外部 URL 外部 URL
https://www.example.com/video
tests/test_comprehensive.py:228
🔗
中危 外部 URL 外部 URL
http://cover.jpg
tests/test_comprehensive.py:447
🔗
中危 外部 URL 外部 URL
http://face.jpg
tests/test_comprehensive.py:448

目录结构

18 文件 · 270.0 KB · 7607 行
Python 13f · 6123L Markdown 3f · 1106L JSON 1f · 372L Text 1f · 6L
├─ 📁 src
│ ├─ 🐍 __init__.py Python 19L · 515 B
│ ├─ 🐍 auth.py Python 158L · 5.0 KB
│ ├─ 🐍 downloader.py Python 443L · 14.5 KB
│ ├─ 🐍 hot_monitor.py Python 241L · 7.2 KB
│ ├─ 🐍 player.py Python 392L · 11.9 KB
│ ├─ 🐍 publisher.py Python 1045L · 36.3 KB
│ ├─ 🐍 subtitle.py Python 730L · 23.7 KB
│ ├─ 🐍 utils.py Python 237L · 6.1 KB
│ └─ 🐍 watcher.py Python 310L · 9.7 KB
├─ 📁 tests
│ ├─ 🐍 __init__.py Python 1L · 16 B
│ ├─ 🐍 test_all_skill_examples.py Python 854L · 34.9 KB
│ └─ 🐍 test_comprehensive.py Python 1537L · 63.6 KB
├─ 🐍 main.py Python 156L · 5.1 KB
├─ 📝 README.md Markdown 480L · 15.4 KB
├─ 📄 requirements.txt Text 6L · 109 B
├─ 📋 skill.json JSON 372L · 13.3 KB
├─ 📝 skill.md Markdown 610L · 21.9 KB
└─ 📝 STRUCTURE.md Markdown 16L · 794 B

依赖分析 6 项

包名版本来源已知漏洞备注
httpx >=0.24.0 pip Version range, not pinned
bilibili-api-python >=16.0.0 pip Version range, not pinned
aiohttp >=3.8.0 pip Version range, not pinned
beautifulsoup4 >=4.12.0 pip Version range, not pinned
lxml >=4.9.0 pip Version range, not pinned
requests >=2.31.0 pip Version range, not pinned

安全亮点

✓ All network requests go to documented Bilibili official API domains over HTTPS (api.bilibili.com, member.bilibili.com, upos-sz-upcdnbda2.bilivideo.com)
✓ No base64-encoded payloads, reverse shells, or code injection patterns found
✓ No credential exfiltration — credentials are only sent to Bilibili's own APIs
✓ SKILL.md provides comprehensive security documentation including credential scope, best practices, and network endpoint list
✓ Credentials are not persisted to disk by default (requires explicit save_to_file() call)
✓ Saved credential files use restrictive 0600 permissions
✓ Subprocess (ffmpeg) is used only for legitimate video merging and is documented
✓ No sensitive path access (no ~/.ssh, ~/.aws, .env scanning)
✓ The pre-scan hardcoded-IP flag (120.0.0.0) is confirmed as a false positive — no IP literals in code
✓ All imports are standard PyPI packages with no known malicious indicators
✓ Strong input sanitization: sanitize_filename() removes invalid characters and limits filename length to 200 chars
✓ Local HTTP server for captcha only binds to 127.0.0.1 (not exposed externally) and auto-closes after verification