中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 15/100
Last scan:22 hr ago Rescan
15 /100
bilibili-all-in-one
Comprehensive Bilibili toolkit integrating hot trending monitoring, video downloading, watching/playback, subtitle downloading, and video publishing
A legitimate Bilibili video toolkit with no malicious behavior; all capabilities are properly declared, credentials are handled securely in-memory, and network traffic is restricted to official Bilibili and YouTube APIs.
Skill Namebilibili-all-in-one
Duration63.0s
Enginepi
Safe to install
Pin dependency versions in requirements.txt (e.g., httpx==0.24.0) to mitigate supply chain risk. Otherwise safe to use.

Findings 1 items

Severity Finding Location
Low
All dependencies use unpinned >= versions without upper bounds Supply Chain
requirements.txt specifies 'httpx>=0.24.0', 'bilibili-api-python>=16.0.0', etc. with no maximum version. A malicious package publish with a matching name could be installed automatically.
httpx>=0.24.0
→ Pin exact versions (e.g., 'httpx==0.24.0') to prevent silent dependency substitution attacks
 requirements.txt:1
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned All HTTP requests use httpx to api.bilibili.com, member.bilibili.com, upos-sz-up…
Filesystem READ+WRITE READ+WRITE ✓ Aligned Downloads videos to output_dir, writes subtitles, reads/writes credential files …
Shell WRITE WRITE ✓ Aligned downloader.py:384 calls asyncio.create_subprocess_exec('ffmpeg') for video mergi…
Environment NONE READ ✓ Aligned auth.py:42-46 reads BILIBILI_SESSDATA, BILIBILI_BILI_JCT, BILIBILI_BUVID3 from o…
1 High 27 findings
📡
High IP Address 硬编码 IP 地址
120.0.0.0
src/utils.py:55
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/python-%3E%3D3.8-blue?logo=python&logoColor=white
README.md:8
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/license-MIT-green
README.md:9
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/version-1.0.9-orange
README.md:10
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/platform-Bilibili%20%7C%20YouTube-pink
README.md:11
🔗
Medium External URL 外部 URL
https://www.bilibili.com
README.md:98
🔗
Medium External URL 外部 URL
https://www.bilibili.com/video/BVxxxxxx
README.md:211
🔗
Medium External URL 外部 URL
https://www.youtube.com/watch?v=xxxxx
README.md:212
🔗
Medium External URL 外部 URL
https://youtu.be/xxxxx
README.md:212
🔗
Medium External URL 外部 URL
https://www.youtube.com/watch?v=dQw4w9WgXcQ
README.md:228
🔗
Medium External URL 外部 URL
https://youtu.be/dQw4w9WgXcQ
README.md:235
🔗
Medium External URL 外部 URL
https://clawhub.ai/Jacobzwj/bilibili-hot-monitor
README.md:448
🔗
Medium External URL 外部 URL
https://clawhub.ai/caiyundc880518/bililidownloader
README.md:449
🔗
Medium External URL 外部 URL
https://clawhub.ai/donnycui/bilibili-youtube-watcher
README.md:450
🔗
Medium External URL 外部 URL
https://clawhub.ai/DavinciEvans/bilibili-subtitle-download-skill
README.md:451
🔗
Medium External URL 外部 URL
https://clawhub.ai/e421083458/bilibili-player
README.md:452
🔗
Medium External URL 外部 URL
https://clawhub.ai/Johnnyxu820/bilibili-video-publish
README.md:453
🔗
Medium External URL 外部 URL
https://www.bilibili.com/video/BV1xx411c7mD
skill.json:131
🔗
Medium External URL 外部 URL
https://www.bilibili.com/video/
src/downloader.py:102
🔗
Medium External URL 外部 URL
https://member.bilibili.com/preupload
src/publisher.py:16
🔗
Medium External URL 外部 URL
https://upos-sz-upcdnbda2.bilivideo.com
src/publisher.py:17
🔗
Medium External URL 外部 URL
https://upos-sz-upcdnbda2.bilivideo.com/
src/publisher.py:470
🔗
Medium External URL 外部 URL
https://api.bilibili.com
src/utils.py:13
🔗
Medium External URL 外部 URL
https://www.youtube.com/oembed
src/watcher.py:142
🔗
Medium External URL 外部 URL
https://www.youtube.com/watch?v=
src/watcher.py:143
🔗
Medium External URL 外部 URL
https://www.youtube.com/@RickAstley
tests/test_all_skill_examples.py:403
🔗
Medium External URL 外部 URL
https://i.ytimg.com/vi/dQw4w9WgXcQ/hqdefault.jpg
tests/test_all_skill_examples.py:404

File Tree

18 files · 182.0 KB · 5460 lines
Python 12f · 4014L Markdown 3f · 1071L JSON 2f · 369L Text 1f · 6L
├─ 📁 src
│ ├─ 🐍 __init__.py Python 19L · 515 B
│ ├─ 🐍 auth.py Python 158L · 5.0 KB
│ ├─ 🐍 downloader.py Python 443L · 14.5 KB
│ ├─ 🐍 hot_monitor.py Python 241L · 7.2 KB
│ ├─ 🐍 player.py Python 392L · 11.9 KB
│ ├─ 🐍 publisher.py Python 655L · 20.4 KB
│ ├─ 🐍 subtitle.py Python 498L · 15.7 KB
│ ├─ 🐍 utils.py Python 250L · 6.5 KB
│ └─ 🐍 watcher.py Python 346L · 11.0 KB
├─ 📁 tests
│ ├─ 🐍 __init__.py Python 1L · 16 B
│ └─ 🐍 test_all_skill_examples.py Python 860L · 35.2 KB
├─ 📋 _meta.json JSON 5L · 139 B
├─ 🐍 main.py Python 151L · 4.9 KB
├─ 📝 README.md Markdown 486L · 15.8 KB
├─ 📄 requirements.txt Text 6L · 109 B
├─ 📋 skill.json JSON 364L · 12.5 KB
├─ 📝 skill.md Markdown 569L · 19.6 KB
└─ 📝 STRUCTURE.md Markdown 16L · 794 B

Dependencies 6 items

PackageVersionSourceKnown VulnsNotes
httpx >=0.24.0 pip No Version not pinned
bilibili-api-python >=16.0.0 pip No Version not pinned
aiohttp >=3.8.0 pip No Version not pinned
beautifulsoup4 >=4.12.0 pip No Version not pinned
lxml >=4.9.0 pip No Version not pinned
requests >=2.31.0 pip No Version not pinned

Security Positives

✓ All network endpoints are restricted to official Bilibili domains and YouTube oEmbed API — no unknown IP connections
✓ Credentials are stored in-memory by default; disk persistence requires explicit user call to save_to_file()
✓ Credential files are saved with 0600 (owner-only) permissions when explicitly requested
✓ SKILL.md and skill.json provide comprehensive, accurate documentation of all capabilities
✓ No base64-decode+execute patterns, no eval(), no exec(), no obfuscated code
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env) — only Bilibili-specific env vars declared in docs
✓ No C2 communication, no reverse shells, no data exfiltration
✓ Pre-scan flag '120.0.0.0' is a false positive — it is the Chrome version number in a User-Agent string (Chrome/120.0.0.0), not an IP address