📦 装扮管理

v1.0.1

Bilibili garb (个性装扮) 数据 collection and 管理. 搜索 garb items, query suit/collection details, scan benefit 数据 for owned items (including discontin...

0· 61·0 当前·0 累计

by @kuangzhanzhiwang

API工具数据分析自动化数据处理网络工具

下载技能包

最后更新

2026/4/12

安全扫描

VirusTotal

Pending

查看报告

OpenClaw

可疑

medium confidence

The skill's code and instructions match its stated purpose (collecting Bilibili 'garb' data) but the package fails to declare the sensitive credentials it requires and explicitly instructs users to capture mobile-app secrets—this misalignment and the sensitive operational guidance warrant caution.

评估建议

This skill appears to do what it says (query Bilibili garb APIs, use local gallery DBs, and write NDJSON results), but there are two practical concerns to weigh before installing: (1) It needs highly sensitive Bilibili credentials (access_key, SESSDATA, bili_jct, appsecret). Those give access to user-specific API data; treat them like passwords and only run the scripts on a trusted machine. (2) The SKILL.md explicitly tells you to capture credentials from the mobile app via mitmproxy/Charles. Th...

详细分析 ▾

ℹ 用途与能力

The name/description match what the scripts do: search, query, and scan Bilibili 'garb' endpoints and local gallery DBs. However, the registry metadata declares no required environment variables or primary credential while the SKILL.md and scripts clearly require sensitive Bilibili credentials (access_key, SESSDATA, bili_jct, appsecret). The credentials are relevant to the functionality but their absence from the declared requirements is an inconsistency.

⚠ 指令范围

The runtime instructions and scripts instruct the user/agent to read local workspace files (configs/bili-api-creds.json, data/decorations-database.json, optional local card/suit DB files) and to perform authenticated calls to Bilibili APIs. Critically, the SKILL.md explicitly advises obtaining credentials by capturing mobile-app traffic with mitmproxy/Charles—this is sensitive operational guidance that goes beyond routine setup and could be misused. The scripts themselves call only official api.bilibili.com endpoints and write results locally (ndjson/progress files), so there is no obvious hidden exfiltration endpoint, but the instructions for harvesting credentials are high-risk.

✓ 安装机制

No install spec is provided (instruction-only with included scripts). Nothing is downloaded or installed by an automated installer; code is run locally. This is lower risk than arbitrary network installs, but running included scripts still executes code on the host.

⚠ 凭证需求

The skill requires high-sensitivity secrets used to authenticate as a Bilibili user (access_key, SESSDATA, bili_jct, appsecret). Those are proportionate to calling signed Bilibili endpoints, but the package metadata did not declare these required env vars or a primary credential. The instruction to capture these secrets via network interception increases risk. Users should assume possession of full account-level access is needed for the script to function and so must protect these secrets accordingly.

✓ 持久化与权限

The skill is not always-enabled and does not request elevated platform privileges. It reads/writes files within its workspace (data/, configs/) but does not attempt to modify other skills or system-wide settings.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv1.0.12026/4/11

Add Apache-2.0 license

● Pending

安装命令

点击复制

官方npx clawhub@latest install bilibili-garb

镜像加速npx clawhub@latest install bilibili-garb --registry https://cn.longxiaskill.com

技能文档

# Bilibili Garb (B站个性装扮) 收集并管理 Bilibili 个性装扮数据：装扮套装、数字卡收藏集及 benefit 子项。 ## 配置所有认证凭据均从环境变量或配置文件读取。在 workspace 中创建 configs/bili-api-creds.json： ``json { "appkey": "27eb53fc9058f8c3", "appsecret": "", "access_key": "", "csrf": "", "DedeUserID": "", "SESSDATA": "" } ` 或导出环境变量： `bash export BILI_SESSDATA="" export BILI_ACCESS_KEY="" export BILI_CSRF="" export BILI_UID="" ` > 获取凭据方法：从 Bilibili 移动端 HTTP 流量抓取（如 mitmproxy、Charles）。access_key 会定期过期，需要刷新。 ## 命令 ### 搜索装扮条目 `bash bash scripts/bilibili-garb-search.sh "关键词" ` 同时搜索官方 API 与本地图鉴数据库。输出 Markdown 包含： - 收藏集（收藏集）及其 biz_id - 套装条目（套装）及其 item_id - 本地图鉴中的绝版条目，标记为 [藏馆-绝版] ### 查询收藏集/套装详情 `bash bash scripts/bilibili-garb-collection.sh -i ` - ID ≤ 6 位 → 收藏集模式 - ID > 6 位 → 套装模式 - 对绝版条目自动回退到本地图鉴数据库 ### 扫描 Benefit 数据 `bash python3 scripts/garb-benefit-scan.py [options] ` 从 data/decorations-database.json 读取已拥有的装扮条目，逐个调用 benefit API，并将结果追加至 data/garb-benefit-results.ndjson。选项： - --limit N — 仅处理前 N 条 - --dry-run — 仅显示待扫描条目，不实际调用 API - --force — 重新扫描已有 benefit 数据的条目 - --debug — 输出完整 API 响应支持断点续扫（Ctrl+C 安全）与去重。 ## 关键 API 知识完整 API 文档见 references/bilibili-garb-api-reference.md。重点： 1. Benefit API (/x/garb/v2/user/suit/benefit) 是获取绝版条目数据的唯一方式，需要登录态。 2. DIY 套装：当 item_id 带连字符（如 1775103232001-0）时，需将 biz_id 作为 item_id 参数传入，原 item_id 会返回 -400。 3. part 参数：仅 part=space_bg 一次调用即可返回全部 9 种子项类型，无需循环。 4. 品级判定：以 item_list API 的 scarcity 字段为准。当 scarcity_rate=2 且 rate2_count==1 时，默认小隐（30），勿自动升为大隐。 5. DLC 头像框：必须从 lottery_home_detail 获取，不能取自收藏集自身的 frame/frame_image`。 ## 标准操作流程分步工作流程见 references/bilibili-garb-sop.md。

数据来源：ClawHub ↗ · 中文优化：龙虾技能库