bilibili-downloader

The provided skill is a plausible Bilibili downloader + vocal-extraction utility. Its requested capabilities (downloading videos, using cookies for authenticated downloads, invoking yt-dlp/ffmpeg, and using an ML model for vocal separation) are consistent with the stated purpose. The primary risks are supply-chain and credential-safety related: (1) forwarding browser cookies to yt-dlp is sensitive and could leak authentication tokens if the skill or dependencies are malicious; (2) model weights and package dependencies may be downloaded from third-party hosts without pinned sources or integrity checks, creating a download-execute supply-chain risk; (3) the skill executes external binaries and Python scripts from the user's home path which requires trusting the packaged code. I find no explicit malicious code or exfiltration endpoints in the documentation provided, so I classify this as not evidently malicious but moderately risky from a supply-chain and credential-exposure perspective. Recommend verifying package origin, pinning package/model sources and checksums, avoiding sharing browser cookies unless absolutely necessary, and running processing in a restricted environment or sandbox.